Archive of UserLand's first discussion group, started October 5, 1998.

Secure password storage

Author:Eric Kidd
Posted:9/9/2000; 1:44:30 PM
Topic:Biggest barrier to building a community in Manila
Msg #:21081 (In response to 21065)
Prev/Next:21080 / 21082

Oh geez. Of course the person with access to the local machine has access to the passwords. Jeremy, they have to be stored somewhere.

Well, are you concerned about malicious administrators, or about somebody using Back Orifice to break into your server and steal the entire password database?

If you're concerned about the former, there's no good solution. If you're concerned about the later, there's a really cool trick for frustrating the attackers.

The basic alogrithm is simple:

Now, if somebody steals your database, they're forced to encrypt the entire dictionary one word at a time and look for matches. You can make their life really difficult in several other ways (do a web search for "password salt" to get an idea).

Of course, if you're not worried about database theft, then these techniques are useless.

Cheers,
Eric


There are responses to this message:


This page was archived on 6/13/2001; 4:56:36 PM.

© Copyright 1998-2001 UserLand Software, Inc.