Archive of UserLand's first discussion group, started October 5, 1998.
Secure password storage
Author: Eric Kidd Posted: 9/9/2000; 1:44:30 PM Topic: Biggest barrier to building a community in Manila Msg #: 21081 (In response to 21065) Prev/Next: 21080 / 21082
Oh geez. Of course the person with access to the local machine has access to the passwords. Jeremy, they have to be stored somewhere.Well, are you concerned about malicious administrators, or about somebody using Back Orifice to break into your server and steal the entire password database?
If you're concerned about the former, there's no good solution. If you're concerned about the later, there's a really cool trick for frustrating the attackers.
The basic alogrithm is simple:
- Encrypt all the passwords in your database using a one-way encryption function.
- When the user types in a password, encrypt it and compare it against the database.
Now, if somebody steals your database, they're forced to encrypt the entire dictionary one word at a time and look for matches. You can make their life really difficult in several other ways (do a web search for "password salt" to get an idea).
Of course, if you're not worried about database theft, then these techniques are useless.
Cheers,
Eric
There are responses to this message:
- Re: Secure password storage, Eric Soroos, 9/9/2000; 5:30:14 PM
This page was archived on 6/13/2001; 4:56:36 PM.
© Copyright 1998-2001 UserLand Software, Inc.