| reverse hashes, which means that if someone forgets their password you
| can't figure it out for them. For some web applications that is a
| problem although I think offering to reset the password provides the
| same benefit, which can be easily done with hashes since you would
| generate the new password for the user.
|
| With the above being said, if you must be able to provide passwords to
| your users if they lose them, then you simply cannot use hashes. Some
| would say that using a form of reversible encryption would be better
| than storing the password in plain-text, but that is not true. Anyone
| who is capable of getting a copy of your database is just as capable of
| getting a copy of your application. And if some has your application
| then they can use it to decrypt the password since that functionality
| is built right in. Which mind you, is why it is equally worthless to
| use reversible encryption on any information in your database anyway
| e.g. credit cards.
|
| -Matt
You should not be able to extract passwords from a database. As best practices,
if a user loses/forgets a password, then you should have some kind of
authentication routine and then issue a new random generated password. This
is how most banking and other secure sites handle that chore.
======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
