If they have real security standards (though you said unrealistic),
they would realize that good encryption isn't decryptable, only
comparable. Or try and make them realize as such.

AW> My client is the one doing the setup of accounts.

AW> How would the account holder know of his password before it got
AW> encrypted?

AW> Hense the email.

AW> Aaron

AW> -----Original Message-----
AW> From: Peter Beckman [mailto:beckman@;purplecow.com] 
AW> Sent: November 15, 2002 12:35 PM
AW> To: Aaron Wolski
AW> Cc: 'Jason Vincent'; [EMAIL PROTECTED]
AW> Subject: RE: [PHP-DB] Email Encryption?

AW> Why not encrypt the password in the DB?  If they lose their password, it
AW> cannot be sent to them.  They chose it, so it doesn't need to be sent to
AW> them in their email.  If they lose it, it is changed, and they have to
AW> change it again.  That way, only if they are stupid do they have an
AW> extra
AW> step.

AW> The passwords in the DB are encrypted, so only if someone gets a hold of
AW> the DB can the passwords be cracked by brute force.

AW> md5 would work fine for this.  It is the same security that FreeBSD uses
AW> in
AW> their password file.

AW> Peter

AW> On Fri, 15 Nov 2002, Aaron Wolski wrote:

>> Well.
>> Its not what they want.. it what one of their clients want (very big
>> corporation with very unrealistic security standards - you'd think
AW> they
>> were NASA or something *grumble*)
>> Their thought is that someone could hack the received email, login to
>> the store using the publically displayed logins details and reek havoc
>> on the store, etc.
>> *shrugs* Sadly this isn't open for debate as a solutions IS required.
>> Any thoughts?
>> Aaron
>> -----Original Message-----
>> From: Jason Vincent [mailto:jayv@;nortelnetworks.com]
>> Sent: November 15, 2002 11:42 AM
>> To: Aaron Wolski; [EMAIL PROTECTED]
>> Subject: RE: [PHP-DB] Email Encryption?
>> Why email? If the Admin tool uses SSL, that is all you need.
>> Regards,
>> J
>> -----Original Message-----
>> From: Aaron Wolski [mailto:aaronjw@;martekbiz.com]
>> Sent: Friday, November 15, 2002 11:39 AM
>> To: 'Aaron Wolski'; [EMAIL PROTECTED]
>> Subject: RE: [PHP-DB] Email Encryption?
>> Just thinking here..
>> PGP is not an option as it would mean EACH user being setup would need
>> the company's public key to decrypt. Not possible as they setup a few
>> hundred accounts each month.
>> Hmm.. anything else?
>> Argh :(
>> Aaron
>> -----Original Message-----
>> From: Aaron Wolski [mailto:aaronjw@;martekbiz.com]
>> Sent: November 15, 2002 11:36 AM
>> Subject: [PHP-DB] Email Encryption?
>> Sorry for the off topic guys..
>> But I've just been informed that an application we developed for a
>> client whereby they use an Admin tool to setup user accounts into
AW> their
>> store needs to have the login (username and password) encrypted.
>> I am thinking PGP for this but to be honest I've never really worked
>> with PGP and wouldn't have the first clue.
>> Does anyone have any experience with this or can offer and advise at
>> all?
>> Again, sorry for the OT discussion.
>> Aaron
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php

AW> ------------------------------------------------------------------------
AW> ---
AW> Peter Beckman            Systems Engineer, Fairfax Cable Access
AW> Corporation
AW> http://www.purplecow.com/
AW> ------------------------------------------------------------------------
AW> ---

AW> -- 
AW> PHP Database Mailing List (http://www.php.net/)
AW> To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to