Tom Collins wrote:
If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it.
So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)?
Sure I can guarantee that getting access to my DB is more difficult than getting access to my LAN (in case of sniffing), so I would choose having the plain password stored, but it's still being a hole on the system (if some guy gains access to DB, he'll have access to ALL passwords, while sniffing would just compromise some users).
Is there any plans for workaround this problem? Is there a way to do it? How does behavior other softwares that uses CRAM-MD5? They always kept the plain password?
--
Best regards,
Eduardo M. Bragatto.
