Only encrypted / hashed (edited due to witty comments below
).
Dovecot and exim4 were a bit of a fiddle to get working correctly with php's sha1(), but no complaints about the less standards-compliant clients (yet).
| Linode Forum https://forum.linode.com/ |
|
| User Database Password Encryption https://forum.linode.com/viewtopic.php?f=11&t=4584 |
Page 1 of 1 |
| Author: | Internat [ Wed Sep 02, 2009 4:42 am ] |
| Post subject: | User Database Password Encryption |
Gday All, Do you store your user passwords in plaintext or encrypted A question for those of you who do virtual hosting of email/ftp and other services. Looking at how hard it is to get an encryption standard that works across all, and the very limited support of standards in clients, do you bother encrypting the password in the database? Articles from Dovecot (http://wiki.dovecot.org/Authentication/Mechanisms) under the non plaintext auth methods, imply bad client support for different encryption methods, and im pretty sure proftpd does the same. (And yes, lets ignore the use of unsecure ftp for the moment) So to the linode community, what do you do? |
|
| Author: | NeonNero [ Wed Sep 02, 2009 9:19 am ] |
| Post subject: | |
Encrypted. Always. Both e-mail and FTP passwords are encrypted with the MySQL ENCRYPT function in our databases. I also use this kind of thinking when creating websites that use a username and password to log in. |
|
| Author: | mjrich [ Wed Sep 02, 2009 4:30 pm ] |
| Post subject: | |
Only encrypted / hashed (edited due to witty comments below ).
Dovecot and exim4 were a bit of a fiddle to get working correctly with php's sha1(), but no complaints about the less standards-compliant clients (yet). |
|
| Author: | TheHeartSmasher [ Wed Sep 02, 2009 10:03 pm ] |
| Post subject: | |
You forgot to add hashed (sha1, md5, etc.). Encryption(two way can be decrypted back into original password): plaintextpassword->encryptionkey->encryptedpassword encryptedpassword->encryptionkey->plaintextpassword Hashing (supposedly one way): plaintextpassword->hashedpassword+anyextrastuffyouwanttoaddinlikesalt->finalhashedpassword finalhashedpassword->nowaytogetfinalhashedpasswordinplaintextunlessyoualreadyknowwhattheplaintextpasswordisalready The only way to get the password would be to come up with the plain text equivalent of the hashed value, even if you do not have the original there is a change that you might come into another plaintext value that has the same hash eventually. |
|
| Author: | jed [ Wed Sep 02, 2009 10:14 pm ] |
| Post subject: | Re: User Database Password Encryption |
Internat wrote: Do you store your user passwords in plaintext or encrypted
When I come across an unsalted, non-hashed plaintext password...I'm frankly staggered. |
|
| Author: | marcus0263 [ Wed Sep 02, 2009 11:09 pm ] |
| Post subject: | Re: User Database Password Encryption |
jed wrote: Internat wrote: Do you store your user passwords in plaintext or encrypted When I come across an unsalted, non-hashed plaintext password...I'm frankly staggered. I just say ..... keeps me employed
|
|
| Author: | k33l0r [ Fri Sep 04, 2009 3:18 am ] |
| Post subject: | Hashed all the way |
Exactly, storing plain text passwords is completely irresponsible. I also feel that sotoring encrypted passwords should be avoided if at all possible (they can still be compromised if the key leaks and the administrator still has access to all his users' passwords). Hashed and salted with sha1 or better is the way to go. And make sure you use a unique salt for each password, otherwise the purpose of the salt will be defeated. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|