On Thu, Nov 22, 2001 at 11:26:59AM -0800, Tavis Rudd wrote: > > >* How are password's stored internally? plain or hashed? > > > > They should absolutely *not* be stored as plain (clear?) text.
Sorry, but that *is* a knee-jerk reaction. There are tradeoffs both ways, and it should be the app developer's/local administrator's choice. If passwords are hashed, it's impossible have an "I forgot my password; mail it to me" screen, because the program cannot unhash the password. You can say, "Oooh, that's unacceptable," but it all depends on what the password grants access to. If it's to my bank account, it better be hasned and behind 128-bit https: . But if it's just to post to a forum or edit an online profile/resume, maybe it doesn't matter that much and it's more important to provide convenience instead. Because forcing ppl to change passwords to something they didn't choose runs another risk: that they'll forget the password again. mod_auth_mysql has a particularly robust design. You can configure whether passwords are added in plaintext, DES, or MySQL PASSWORD() format. Then when checking passwords, you can configure several encryption schemes, so that it will try each scheme in order until one succeeds or they all fail. As for protecting passwords in a database, there are other strategies besides hashing them. For instance: 1) If the password database is on the public server, make sure the db doesn't accept TCP/IP connections from outside the localhost. Lock down login access to the machine and aggressively monitor for web script exploits. 2) If the password database is behind a firewall, the public server hashes the password and sends it to the private server. The private server makes a temporary hash of the control password and uses that for comparision. -- -Mike (Iron) Orr, [EMAIL PROTECTED] (if mail problems: [EMAIL PROTECTED]) http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
