If you mean, storing the _hashed_ passwords, mostly. I'm not sure that
_anything_ is completely safe, and with security, "living paranoid" is
best. But if you never store the actual password itself, you're
probably covered.
I suppose the level of paranoia ought to be balanced with the degree of
risk. If you're just trying to keep your kid sister out of your stuff,
you can be pretty casual about things. If you're trying to keep bad
guys away from a customer's credit card numbers, you can't be paranoid
enough.
Writing secure applications gets to be a habit as much as anything
else. One of the first real PHP applications I wrote many years ago was
a "quick and dirty" reporting system for internal use, and "done" was
better than "good". So, I didn't really worry about some of the things
that I did in the design -- plain text passwords, assumed
"register_globals" would be on, left some stuff in cookies that I
really shouldn't have. The problem was new functions kept getting added
to the old code, and "it's working, so why rewrite it?" got asked one
too many times. So, some bad decisions got rolled into production code.
In any case, that system is now shut down and, luckily, never got
hacked. But it taught me a good lesson -- that doing the Right Thing
from the get go saves you tons of problems down the line, especially
when it comes to security.
On May 18, 2006, at 3:51 AM, Michael von Aichberger 2 wrote:
Before I try that: Storing the passwords in a list of ascii values
... is
THAT safe?
[To remove yourself from this list, or to change to digest mode, go to
http://www.penworks.com/lingo-l.cgi To post messages to the list, email
[email protected] (Problems, email [EMAIL PROTECTED]). Lingo-L is for
learning and helping with programming Lingo. Thanks!]
