On Wed, Oct 29, 2008 at 11:16:46AM +0000, Andy Jenkinson wrote: > Andreas Kahari wrote: >> On Wed, Oct 29, 2008 at 10:10:38AM +0000, Dave Howorth wrote: >>> It's my understanding (though I am not a lawyer :) that storing a >>> username together with a password consitutes 'private data' and that any >>> database or other mechanism used to store that information would >>> therefore need to be registered with your organisation and be audited. I >>> also understand that ignoring the requirement is a sacking offence, at >>> least where I work. >> >> Most password authentication software does not store plain text >> passwords, only checksums (e.g. MD5 or SHA1) of passwords. This is the >> case on modern UNIX and UNIX-like operating systems (for user login >> authentication) as well as for most software systems supporting password >> authentication, for example Apache (see manual for htpasswd). > > It's not 100% clear whether this qualifies as "does not need to be > audited" or "would pass audit". It would come down to what exactly is > considered "private data", according to local policy.
Believe me when I say I'm very happy that I do not need to be part of this discussion... Best of luck, Andreas -- Andreas Kähäri, Ensembl Software Developer European Bioinformatics Institute (EMBL-EBI) Wellcome Trust Genome Campus, Hinxton Cambridge CB10 1SD, United Kingdom _______________________________________________ DAS mailing list [email protected] http://lists.open-bio.org/mailman/listinfo/das
