Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?

Re: How should passwords be stored in a database?

From: <lbudney-usenet_at_nb.net>
Date: 02 Sep 2001 08:10:53 -0400
Message-ID: <m3k7zh6bea.fsf@peregrine.swoop.local> 





Bernd Eckenfels <ecki_at_lina.inka.de> writes:


> In comp.security.unix lbudney-usenet_at_nb.net wrote:


>> No he's not. He's referring to things like: passwords for access to web-
>> based services. They're usually stored in the clear inside the DB, since
>> the web developers don't know what they're doing.




> 

> Well, if you are using Challenge-Response Authentication then you need to

> store the password in clear.




That's incorrect. See <http://www-cs-students.stanford.edu/~tjw/srp/>.



It's also very, very wrong. Storing passwords in the clear should NEVER
be done by a server under ANY circumstances, PERIOD. One reason I already
gave: users reuse passwords. If you store a person's password, and it
happens to be the same as his Net Banking password, YOU share culpability
for misuse of that information resulting from compromise of your security.



Another reason is that it's stupid: one successful crack compromises ALL
user accounts.



Another is that storing passwords in the clear means that YOUR employees
can impersonate your customers. Since the majority of security breaches are
actually due to disgruntled employees, this is a serious issue.



--Len.



-- 
Frugal Tip #29:
Every other day put your shoes on the wrong feet so that they wear
more evenly.


Received on Sun Sep 02 2001 - 07:10:53 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US