On 10/30/2015 11:30 AM, Frederic Da Vitoria wrote:
2015-10-30 0:33 GMT+01:00 <wkitt...@windstream.net
<mailto:wkitt...@windstream.net>>:
On 10/29/2015 01:08 PM, Frederic Da Vitoria wrote:
Good point. I'd even ask the question: do you really need to store the
passwords? IOW, do you want to be able to send them back to the user?
Or do
you only need to check them?
in the use case being studied, passwords can only be compared or reset...
Do you really need to compare them or simply to validate them? I ask because in
one project I worked on for an insurance company, we were forbidden to store the
passwords. We stored only a kind of checksum for them.
that's what i meant... store only the hash and then compare the hashes...
With something like CRC32 or even a higher resolution algorithm, you can
efficiently check that the password is correct (with really low chances of
false positives), minimize the storage space required and completely
eradicate the possibility that someone will get the actual passwords from
your database. This could be relevant if this is for a web site, many people
use the same password on all the web sites so that if their password is
revealed on one site, they would need to change all their passwords.
this is for an old-school BBS that's being updated for the modern world... you
remember BBSes, right? those things we used to dial into before the internet
came along? back before win95 was foisted on the world? they used to be run on a
few different mainframes, PDP-11s, Radio Shack Color Computers (aka the coco),
TRS-80s, Apple //c, Macintoshes, IBMPC compatibles, TI-99s and many others ;)
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
