RE: Storing passwords in database as one way hash -The Solution

Wed, 18 Oct 2000 10:31:20 -0700 

Hehe, well, wouldn't it be nice if security tools were perfect, everyone was
completely ethical, and there weren't any unknown vulnerabilities. In that
case, why have passwords? Let me take your response and put it in the
context of credit card numbers. "Why strongly encrypt credit card numbers?
People 'peeking' in your DB should never be a problem if it is set up
correctly with security et al....." It seems a little more important when
put into that context, huh? You wouldn't hash credit card numbers, you want
to be able to use the information again, but storing the encrypted string
and the key together isn't a great idea either.

Steve


-----Original Message-----
From: Neil Clark [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 18, 2000 4:44 AM
To: CF-Talk
Subject: RE: Storing passwords in database as one way hash -The Solution


Okay, hash-ing the password seems to be an overkill - why not simply
generate a random key which you can use with encrypt(form.password, key)
this value can then be placed in the db along with the key...  when it comes
to it, simply decrypt the form.password with the given key and you're away.
If they don't match - see ya, if they do - cool. ;-)

People 'peeking' in your DB should never be a problem if it is set up
correctly with security et al.....

Neil

<! -----------------------------------
Neil Clark
Senior Web Applications Engineer
mcb digital
Tel. +44 (0)20 8941 3232
Tel. +44 (0)20 8408 8131 [Direct]
http://www.mcbdigital.com
----------------------------------->



----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]

------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message 
with 'unsubscribe' in the body to [EMAIL PROTECTED]

Reply via email to