[prog] web authentication
Michelle Murrain
michelle at murrain.net
Thu Nov 10 09:38:19 EST 2005
On Nov 9, 2005, at 2:31 PM, Mary wrote:
> On Wed, Nov 09, 2005, Michelle Murrain wrote:
>> You can deal with the password entirely server side, using that
>> method, although encrypting it in the database seems overkill to me,
>> if you've got your database system locked down well. We use plaintext
>> passwords stored on the server.
>
> Storing a one-way (well, one-way-ish these days) hash in the
> database is
> pretty standard if you're going to be doing any kind of security
> certification of these kinds of things. For example, banks insist on
> you storing passwords and CC numbers either hashed (if you're going
> one
> way) or encrypted (if you need to read them back): they won't trust an
> assertation or demonstration that you're locked down well, they want
> mathematics behind it. I think using hashes or encryption is good
> practice for web developers if nothing else so that if they end up
> with
> a powerful client who insists on security certification, the tweaking
> needed is minor rather than major.
Good points. I've been largely doing small-scale stuff, where these
issues aren't in play.
Michelle
Michelle Murrain
Seminarian, Pacific School of Religion
michelle at murrain.net
Blog: http://www.pearlbear.us
AIM:pearlbear0
googletalk:michelle.murrain at gmail.com
"To reach satisfaction in all desire satisfaction in nothing." -- St.
John of the Cross
"Rely on nothing until you want nothing" -- Dhammapada
More information about the Programming
mailing list