Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?
<lbudney-usenet_at_nb.net> wrote in message
news:m3k7zh6bea.fsf_at_peregrine.swoop.local...
> Bernd Eckenfels <ecki_at_lina.inka.de> writes:
> > In comp.security.unix lbudney-usenet_at_nb.net wrote:
> >> No he's not. He's referring to things like: passwords for access to
web-
> >> based services. They're usually stored in the clear inside the DB,
since
> >> the web developers don't know what they're doing.
> >
> > Well, if you are using Challenge-Response Authentication then you need
to
> > store the password in clear.
>
> That's incorrect. See <http://www-cs-students.stanford.edu/~tjw/srp/>.
So what if I don't want to use this
> It's also very, very wrong. Storing passwords in the clear should NEVER
> be done by a server under ANY circumstances, PERIOD. One reason I already
> gave: users reuse passwords. If you store a person's password, and it
> happens to be the same as his Net Banking password, YOU share culpability
> for misuse of that information resulting from compromise of your security.
Is that your opinion as a lawyer based on cases or your opinion as a
security expert. Or indeed just a moral statement.
>
> Another reason is that it's stupid: one successful crack compromises ALL
> user accounts.
Agreed.
-- Niall Litchfield Oracle DBA Audit Commission UKReceived on Mon Sep 03 2001 - 05:02:15 CDT