On 12/09/11 23:15, David Jordan wrote:
> Hi John
> I have not played around with the encryption, but to my knowledge this is not
> the way it works. The password is related to the data encrypted, not to the
> user, so every user would require the same key for the data. To change the
> key you need to unencrypt and reencrypt the data.
And what would happen if the user changed their password?
Plus, where would he get the password from? The password should NEVER
EVER be stored ANYWHERE. Any half-way decent security system mangles the
password on input, and stores the mangled version. A one-way mangle. If
a system is capable of telling you what your password is, it is not
secure (and it's dangerous. People re-use passwords. If a hacker gets
hold of that password database how many other systems have just been
> The other option is encryption at rest where the whole database is encrypted.
> This has been greatly enhanced in Rel11 of UniVerse.
U2-Users mailing list