-------- Original Message --------
Subject: Re: Passwords (HASHED!) store in same table or separate table?
From: MB Software Solutions, LLC
<[email protected]>
To: [email protected]
Date: 12/11/2012 12:38 AM
On 12/10/2012 9:55 PM, Stephen Russell wrote:
If the salted PW results are in a table with NO KEY to the user. Any
good
password inbound will be salted and that result is found in the
table. If
part of the salt is in the user row, its PK or part of it if a GUID, or
another column then it is exposed. Or any good password will work
because
there is no tie back to the user.
Hence the reason you'd want some tie back to the user I guess?
Maybe I missed something.
If you don't connect the salted password back to the user in any way,
how would they ever change their password? I mean, sure, create a new
salted password and add it to the list, but that leaves orphan
passwords...not likely they'll be used but extra baggage none-the-less.
With an active website, that might grow relatively fast, no? Yes? Maybe?
Maybe date-stamp the salted password entries and let them age-out,
forcing the user to enter a new password? (God I hate that in software.)
Mike
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
