On May 4, 7:58 am, Christopher Arndt <[email protected]> wrote:
> I'm surprised that no one has mentioned it yet, but obviously with such
> a scheme, you have to store the passwords in clear text on the server
> side, don't you? This is just not acceptable for some sites, so any
> authentication scheme that requires this, can only be ever an option.
>From his site:
A user's password is the crown jewels of any password-based
authentication system. Such an important asset needs protection; best
practice is that a password is encrypted when:
* it is transmitted over the internet, or
* it is stored on a server.
Storing Passwords
The server stores password hashes, instead of unencrypted
passwords. A random number unique to the server is included in the
hash. This number is called the "salt", and it is not secret. It is
also included in a hidden field in the login form. The purpose of the
server-specific salt is to ensure that a captured password cannot be
used on a different server.
He's done a pretty good job thinking things through. md5 is used
because it is built into javascript and makes for a very lightweight
script on the client side. It's not optimal, but, its better than
cleartext requests.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
