How to obscure a password
Peter Hansen
peter at engcorp.com
Thu Feb 26 13:47:52 EST 2004
"Batista, Facundo" wrote:
>
> Peter Hansen wrote:
>
> #- > I need to restore the password later and use it as if the
> #- user just entered
> #- > it.
> #-
> #- Your design is probably fundamentally flawed in that case. Are you
> #- certain it is not possible to store the hashed password and always
> #- to compare against it?
>
> That will imply to the user to enter his password everytime (that's what I'm
> trying to avoid).
That's what sessions are for. Don't you have session support?
The only time one should ever need to re-enter a password is when you
are allowing them to *change* their current password. And even then
hashing should still be done before you encrypt the new password with
the old one, so that it can _never_ be seen in the clear on the server.
-Peter
More information about the Python-list
mailing list