Hi Alex,

>>> Nobody could stop me anyway.
>> 
>> What do you mean?  You are the provider of the service!  I guess
>> there is a missunderstanding somewhere.
>
> I mean as I'm the admin of that machine, I cannot be stopped to access
> the passwords.

You are the provider of the service and as such users trust that you
handle their data reasonably well in the first place.  If that
assumption doesn't hold, there is no point in talking about securing
anything.

We are talking here about untrusted 3rd parties, right?

> Even if they were encrypted, I could run a brute force attack.

How viable that would be depends on the quality of the encryption.

Also note that storing hash+salt is different from storing encrypted
password.

And yes, you can run a brute force attack.  _Anyone_ can run it actually
even without having access to the login data (e.g. trying out different
passwords in the login form).  If you have the data locally, it just
makes it faster to get the feedback.  How successful such attempt is
depends mainly on the quality of the user's password.  In other words,
plain text password doesn't need any effort, poorly encrypted password
can be decrypted using something significantly more efficient than brute
force.  Brute force is the least efficient method.  The idea there is
that you'd have to spend significant effort to get to the passwords.

Cheers,

Tomas
-- 
UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to