Paul Johnston schrieb: > No need for plaintext passwords, you can hash them in the database > too. In fact, in the scheme I recommend the server never sees a > plaintext password. It's true that the stored hashes are password- > equivalents, that a hacker could use them to login to the site. But > the crucial point is that a hacker can't use them to login to other > sites.
But somebody who (unintentionally) gets access to the password database can use the hashes to access all the accounts. True, if somebody has access to the hashed passwords of a normal authentication scheme, he can find out the weak passwords with a a brute-force attack pretty quickly, but that's a matter of using appropriately secure passwords. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
