Send password over TCP connection
Peter Hansen
peter at engcorp.com
Wed Oct 12 19:50:27 EDT 2005
dcrespo wrote:
> then, what you proppose?
I'll assume that question was for me, in response to my comment that one
should never store passwords in the clear.
Do you know how any other system manages to do this? Linux, for example
(assuming a properly configured system)? The passwords aren't stored:
hashes of the passwords are stored (with additional things thrown in to
prevent certain kinds of attacks even if someone nabs the password
(/etc/shadow) file). If you store the password or even encrypt it (i.e.
something that can be reversed if someone knows the key), it's a risk.
If you don't know about this stuff yet, I strongly suggest lots of
additional research and reading prior to implementing a serious system.
There are _many_ web pages to be found which discuss this sort of
thing, probably including lots of tutorials for people starting on the
ground floor.
I bet Paul R or others more experienced in this area can point us to
some excellent ones, but a little googling with "passwords store clear
text" or "encrypted passwords" would get you started. I expect that
would quickly lead to the term "hashing", since you really don't want to
just encrypt the password: that can easily be reversed if anyone has the
key, and certainly an administrator could access the key used by some
random application that encrypts its passwords. The first few hits for
that last search seem to include pages that introduce the concept of
"salt", one of the "additional things" I mentioned above.
I'm not going to try to give a tutorial: I'm not nearly expert enough to
be trusted for that. :-) I just wanted to warn against one of the most
basic and easily avoidable problems.
-Peter
More information about the Python-list
mailing list