> -----Original Message----- > From: RXZ JLo [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 22, 2002 4:51 AM > To: Tomcat Users List > Subject: Re: storing passwords > > > Thanks to all of you for the responses. > > apart from this password I will be storing some other > things too(they too are passwords but for some other > things in the application). I cant use one way hash as > I cant use them further. what mechanism should I > follow in this case?
Have you considered LDAP? I haven't used it myself but it might be a better solution if you have to store a variety of user information that will be used in more than one context. > Also, for the login case should I bother about > encryption in the login form? Can I just use > <input type="password"/> and rely on the brower? > What are the pros and cons for this? If you see yahoo > login, they generate md5 using javascript on the > client side itself - is this really necessary? Generating the md5 on the client side doesn't really do too much, since if I know the MD5 then basically I know the password. I just can't type it into Yahoo's UI since then *that* will get MD5'd and it will change the value sent. (Of course, I could use Mozilla and disable the JavaScript that does this... or write my own page... etc.) If you use SSL then you don't need to do the JavaScript trick -- the passwords will be sent over the wire encrypted. But if you can't or don't want to use SSL, then just remember that it is SUPER easy to listen in on HTTP connections and watch the data go back and forth. There's dozens of scripts that basically do this and hunt down likely passwords. So you want to implement *some* level of encryption unless everything you're doing is within a "secure" environment like behind a corporate firewall (note the quotes, that indicates a level of facetiousness). Erik -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
