----- Original Message -----
From: "Marc Boncz"
Whenever I make a site or application that involves any kind of user
validation,
I use login/password combinations. Login and password get stored in a
database,
the login in plain text, the password hashed. When the user forgets his
password, make sure there is a mechanism to create a new one and send that
to a
pre-approved email address.
Rationale is that hashing passwords irreversibly is the only way to
guarantee
that NO ONE can access the passwords. Not even staff. Because if paswords
are
readable, sooner or later someone will do so. It may take years, but one day
someone will.
<snip>
Moral of the story: NEVER EVER STORE PASSWORDS PLAINTEXT. One doesn't even
store
mailinglist passwords plaintext, not to mention passwords of any service
involving money...
Marc
------------------------------------
Hi Marc,
Having hashes in a data base that is writable is not that
secure no matter how complex the encryption algorithm.
For instance, someone can create a new login account with a know username
and password. They then look for their username in the data base and copy
the hash associated with their username. They then write the hash into the
data base for the target user and login with the target username and the
password they created on the new login account.
A more secure method is to ensure the server has a dedicated IP and then
create a remote server with a dedicated IP and SSL Cert. Configure apache in
the secondary server so that it will only answer requests from the IP of the
primary server. When a password is to be created the primary server sends
the username and requested password along with some other arbitrary keys
with predictable values, via SSL to the secondary server. The secondary
server stores the hash in a local data base and returns a token. When
someone logs in, the primary server looks up the token and sends that to the
secondary server via SSL and the secondary server responds via SSL with the
hash. The primary server then completes the login normally. To share the
secondary server for a number of primary servers then include the new IP
addresses in the secondary servers accept list. Also include the requesting
IP address in the hashing algorithm on the secondary server. Tables have to
be indexed so that the same user name can exist on the different primary
servers.
Thanks, Rob.
