On 5/4/20 6:16 AM, John Wilcock wrote:
In the context of a list of passwords known to be compromised, it is hopefully fair to assume that they are no longer in current use, and thus no longer of any importance. If it isn't fair to assume that, then the organisation has bigger issues in any case!
None of that changes the fact that storing a list of clear text passwords is against current industry best practice.
Would you want to explain tot he board of directors / CEO that systems you administer were the source of passwords being compromised because you didn't encrypt / hash the passwords?
It does not matter where or how the passwords you put in the list came from or were previously exposed. The fact remains that you are describing maintaining a list of clear text passwords. This is plain and simply against current industry best practice. Further, it would fail security audits at many companies I have worked for.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
