On 09/10/16 10:42, Steven D'Aprano wrote: >> Are you sure? That's very bad practice and never needed >> in the real world. > > You've never used a password vault then?
That's true, I've never seen a secure one, so I never use them. Same with browsers doing auto-authentication, a terrible idea! But you are also correct that they are a scenario where unencryption becomes necessary - exactly why they are a bad idea! Actually I don't mind them so much if they are kept on a single personal device that is itself secured (and the passwords are encrypted, of course), but anywhere that the passwords are on a server and that server provides an API to unencrypt is inherently unsafe, even when using access keys. >> So you should never need to see the plaintext >> version of a password, that would be a bad >> security hole. > > If you don't know the plaintext version of the password, how do you type > it into the password field? :-) Smiley noted, but for clarity I meant "you" as in the recipient of the password not the originator. -- Alan G Author of the Learn to Program web site http://www.alan-g.me.uk/ http://www.amazon.com/author/alan_gauld Follow my photo-blog on Flickr at: http://www.flickr.com/photos/alangauldphotos _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
