Hi Alex, >>> Nobody could stop me anyway. >> >> What do you mean? You are the provider of the service! I guess >> there is a missunderstanding somewhere. > > I mean as I'm the admin of that machine, I cannot be stopped to access > the passwords.
You are the provider of the service and as such users trust that you handle their data reasonably well in the first place. If that assumption doesn't hold, there is no point in talking about securing anything. We are talking here about untrusted 3rd parties, right? > Even if they were encrypted, I could run a brute force attack. How viable that would be depends on the quality of the encryption. Also note that storing hash+salt is different from storing encrypted password. And yes, you can run a brute force attack. _Anyone_ can run it actually even without having access to the login data (e.g. trying out different passwords in the login form). If you have the data locally, it just makes it faster to get the feedback. How successful such attempt is depends mainly on the quality of the user's password. In other words, plain text password doesn't need any effort, poorly encrypted password can be decrypted using something significantly more efficient than brute force. Brute force is the least efficient method. The idea there is that you'd have to spend significant effort to get to the passwords. Cheers, Tomas -- UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe