On Saturday 09 January 2010 18:21:00 D. Richard Hipp wrote: > There is a trade-off. > > You can store an cryptographic checksum of the password in the user > table. ... > Or you can store the cleartext password in the user > table and send a cryptographic checksum of the password...
There is another option: send a crypto checksum over the wire, and store a different sum in the user table. Then the server file does not have a cleartext password, nor is one sent on the wire. > Note that even with option 3 (HTTPS for everything) you still store > passwords on the client side to enable auto-sync. Right; I'm less concerned about the local file which only has my password in it than I am with the server file with potentially dozens or hundreds of passwords. -- Sending me something private? Use my GPG public key: AD29415D
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
