How to obscure a password
Peter Hansen
peter at engcorp.com
Thu Feb 26 16:54:54 EST 2004
"Batista, Facundo" wrote:
>
> #- > That will imply to the user to enter his password
> #- everytime (that's what I'm
> #- > trying to avoid).
> #-
> #- That's what sessions are for. Don't you have session support?
> #-
> #- The only time one should ever need to re-enter a password is when you
> #- are allowing them to *change* their current password. And even then
> #- hashing should still be done before you encrypt the new password with
> #- the old one, so that it can _never_ be seen in the clear on
> #- the server.
>
> Sessions? I'm not serving Web. It's a simple program with a GUI that runs
> locally.
Okay, so why not just have a checkbox that the user can select that
says "I don't want to use a password at all" and bypass the "authentication"?
What's the value of having a password on something if you're going to
store the password unencrypted in a local file and give the user the
option of saying "re-use the password in the file"?
Is it that you're going to be sending this password to a remote system,
so basically you've got a utility which allows storing the password
locally so that a user doesn't have to retype it but can still access
the remote system? (If that's the case, you could title this utility
"security-removal-tool" because that's what it is. Your call though...)
-Peter
More information about the Python-list
mailing list