David Crocker wrote:

>I'm by no means an expert in the field of security and Java, but I
believe that
>the usual technique is to encode the password that the user types using
a 1-way
>hashing algorithm, then store (and hide/protect) the encoded version
and use
>that as the password. If an attacker manages to read the password hash,
he still
>has to construct a password that will encode to the same value.

At issue is not the mechanical method of storing the password; it is the
fundamental insecurity of storing a password such that an automated
process may recover/use said password.  If an automated process can
recover the password, chances are very good an attacker can, and no
cryptographical algorithim will solve that issue.  The system is weak,
not the individual components.


Reply via email to