On Wed, Oct 27, 2010 at 04:21:45PM -0400, David N Murray wrote:
On Oct 27, Tomas Hlavaty scribed:
not sure if I understand it well but it seems to me that your hash
becomes the password. In other words, if I find out the hash, I can log
in (e.g. using my own client).
Yes, I
Hi Alex,
yes, it's all about prevention;-) Storing plain text passwords is no
prevention.
But encrypting them creates only an illusion of safety.
I didn't suggest encrypting them but using hash+salt!
We should not waste our time on irrelevant issues. Whether passwords
are encrypted
Hi Alex,
I personally have bad experience with people storing passwords in
plain text. Technically it might not be an issue (after all I think
the wiki doesn't need passwords at all) but it is certainly one of
those warning
Thanks as ever for your input, but your argumentation is quite
Hi Tomas,
But encrypting them creates only an illusion of safety.
I didn't suggest encrypting them but using hash+salt!
Yes, of course. That's nitpicking. Please excuse that I didn't pay
attention to the terminology.
1) the whole discussion about acknowledging that some data are more
Hi Dave,
It seems to have been lost somewhere along the way, but my original email
indicated I use a one-way hash of the password (a la crypt(), but there
Yes, I know. As Tomas already noticed, I mixed up encryption and
hashing, though I'm well aware of the differences, and also used MD5 in
my