On Mar 1, 2010, at 2:56 PM, Chris wrote: > Hello, > > When working with photo API's such as twitpic, what is the best way of > storing the password? > Since the password needs to be sent in its natural form, hashing is > not an option. I read recently heard that a company was held > accountable (sued) for not encrypting their user's API passwords and > would rather be safe than sorry. I haven't been able to find an > effective way of doing so. Also I am using Postgres as my DB. > > Any suggestions? >
We encrypt passwords in the model before storing them in the database. For security reasons unique to our application, we don't have the model decrypt the passwords. Our backend pulls the encrypted password from Django and it decrypts the password before use. We use asymmetric encryption, so a compromise of our web servers and our database servers can not result in decryption of all the stored passwords. In our case, we deal with something of more value than Photographs. If you're only dealing with photographs; not personally identifiable information, credit card numbers, or medical information, I would use symmetric encryption as some of the other posters have mentioned. I wouldn't worry about getting sued, what kind of damages would people have and your EULA should already limit your liability. -- Eric Chamberlain -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
