Hi Tomas,

> > But encrypting them creates only an illusion of safety.
> I didn't suggest encrypting them but using hash+salt!

Yes, of course. That's nitpicking. Please excuse that I didn't pay
attention to the terminology.

> 1) the whole discussion about acknowledging that some data are more
> confidential then other.  You obviously don't think so.

No, precisely because normally the _data_ in a database are much more
valuable than the passwords.

> > It is ridiculous if we talk about allowing changing passwords and/or
> > sending them via unencrypted mails, and at the same time make so much
> > fuss about hiding them within the machine.
> Again, I am strongly against sending passwords via e-mail.  If you don't
> store the passwords in the first place, there is no way to send them
> obviously.

You should read the discussion in this thread carefully. We had
suggestions to generate short-term passwords and send them by mail.

> protected.  From the point somewhere gets hold of your database your
> system is completely unprotected.  And confidential databases leak all

Again: If somebody gets hold of the database, everything is lost. This
is what must be avoided, and not eyewashing by pretending a false

> And confidential databases leak all the time.

Really?! Probably because they relied on their encrypted (sorry:
hashed!) passwords :-D

> The thing I suggested would give protection to passwords even
> if somebody got hold of the database.

See above.

- Alex
UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to