Hi Alex,
>> yes, it's all about prevention;-) Storing plain text passwords is no
>> prevention.
>
> But encrypting them creates only an illusion of safety.
I didn't suggest encrypting them but using hash+salt!
> We should not waste our time on irrelevant issues. Whether passwords
> are encrypte
Hi Alex,
>> I personally have bad experience with people storing passwords in
>> plain text. Technically it might not be an issue (after all I think
>> the wiki doesn't need passwords at all) but it is certainly one of
>> those warning
>
> Thanks as ever for your input, but your argumentation is
Hi Tomas,
> > But encrypting them creates only an illusion of safety.
> I didn't suggest encrypting them but using hash+salt!
Yes, of course. That's nitpicking. Please excuse that I didn't pay
attention to the terminology.
> 1) the whole discussion about acknowledging that some data are more
>
Tomas,
just to make it clear (again, as I already wrote this in this thread):
It would b extremely simple to "hash" the passwords. Just call something
like
(native "libcrypto.so" "MD5" '(B . 16) Str (length Str) '(NIL (16)))
in two places (where the passwords are stored, and where they are c
On Oct 28, Alexander Burger scribed:
> On Wed, Oct 27, 2010 at 04:21:45PM -0400, David N Murray wrote:
>
> Or simply create an account for yourself and analyze the encryption of
> your own password in the client. As the client needs the full
> information, including the encryption keys, you might
Hi Dave,
> It seems to have been lost somewhere along the way, but my original email
> indicated I use a one-way hash of the password (a la crypt(), but there
Yes, I know. As Tomas already noticed, I mixed up encryption and
hashing, though I'm well aware of the differences, and also used MD5 in
m