On Sun, Oct 09, 2016 at 09:29:07AM +0100, Alan Gauld via Tutor wrote: > On 09/10/16 01:50, Linda Gray wrote: > > > I am working on a homework assignment that has me creating a password saver > > using a ceasar cipher code. I was provided the key to the cipher and two > > passwords. I need to look up and decrypt the passwords > > Are you sure? That's very bad practice and never needed > in the real world.
You've never used a password vault then? The idea of a password vault is that you have one master password which controls access to a record of sites and their passwords. You need to record the *actual* password, since you have to enter the password itself (not a hash) into the site's password field. Rather than try to remember 50 passwords, or re-use passwords (a dangerous practice) you remember one good, memorable password, protect your password vault like it is the keys to your house, and then the password manager can choose very large, unique, impossible to memorise, random passwords for each site. > The normal way to handle passwords is to encrypt them > and store the encryopted cersion. For authentication, it *should* be an irreversible one-way hash. (Unfortunately, far too many places don't do that. They record the passwords in plain text, or using a hash without salting, so that the password is recoverable.) The exception being password managers or vaults, as I said, as they need access to the actual password. > Then when the user > enters a password you encrypt that and compare it to > the stored encryption. If the two encrypted versions > are the same then the original passwords were the same. That's for authentication. > So you should never need to see the plaintext > version of a password, that would be a bad > security hole. If you don't know the plaintext version of the password, how do you type it into the password field? :-) -- Steve _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
