General Password questions
Peter Hansen
peter at engcorp.com
Tue Sep 23 09:35:01 EDT 2003
Richard Brodie wrote:
>
> "Riccardo Attilio Galli" <riquito at riquito.matrix> wrote in message
> news:pan.2003.09.23.13.26.53.712668 at riquito.matrix...
> > On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:
>
> > I don't want to ask to the user every time the account password, but also
> > I don't want to store it as plain text.
>
> > Do you know what is the usual practice in these cases?
>
> The usual practice is to store the password in some trivially breakable encryption
> scheme, preserving some illusion of security.
Hah! :-) True... sadly.
I'll say what I said a moment ago in the other response, but in a different way.
If it is possible to retrieve the plaintext password, whether because it was
stored in plaintext or because it was stored with some trivially breakable
encryption scheme (or even if it was stored with an incredibly sophisticated
encyprtion scheme), the system is broken. Nobody, adminstrators included,
should ever be able to retrieve the plaintext password of a user, and even with
a fancy encryption scheme, there is always a separate password or key which
can be used to reverse the encryption.
Use hashes.
-Peter
More information about the Python-list
mailing list