[prog] web authentication

Mary mary-linuxchix at puzzling.org
Thu Nov 10 09:31:32 EST 2005


On Wed, Nov 09, 2005, Michelle Murrain wrote:
> You can deal with the password entirely server side, using that  
> method, although encrypting it in the database seems overkill to me,  
> if you've got your database system locked down well. We use plaintext  
> passwords stored on the server.

Storing a one-way (well, one-way-ish these days) hash in the database is
pretty standard if you're going to be doing any kind of security
certification of these kinds of things. For example, banks insist on
you storing passwords and CC numbers either hashed (if you're going one
way) or encrypted (if you need to read them back): they won't trust an
assertation or demonstration that you're locked down well, they want
mathematics behind it. I think using hashes or encryption is good
practice for web developers if nothing else so that if they end up with
a powerful client who insists on security certification, the tweaking
needed is minor rather than major.

-Mary


More information about the Programming mailing list