Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?

Re: How should passwords be stored in a database?

From: Niall Litchfield <n-litchfield_at_audit-commission.gov.uk>
Date: Mon, 3 Sep 2001 11:02:15 +0100
Message-ID: <3b935530$0$236$ed9e5944@reading.news.pipex.net> 





<lbudney-usenet_at_nb.net> wrote in message
news:m3k7zh6bea.fsf_at_peregrine.swoop.local...


> Bernd Eckenfels <ecki_at_lina.inka.de> writes:

> > In comp.security.unix lbudney-usenet_at_nb.net wrote:

> >> No he's not. He's referring to things like: passwords for access to

web-


> >> based services. They're usually stored in the clear inside the DB,

since


> >> the web developers don't know what they're doing.

> >

> > Well, if you are using Challenge-Response Authentication then you need

to


> > store the password in clear.

>

> That's incorrect. See <http://www-cs-students.stanford.edu/~tjw/srp/>.




So what if I don't want to use this



> It's also very, very wrong. Storing passwords in the clear should NEVER

> be done by a server under ANY circumstances, PERIOD. One reason I already

> gave: users reuse passwords. If you store a person's password, and it

> happens to be the same as his Net Banking password, YOU share culpability

> for misuse of that information resulting from compromise of your security.




Is that your opinion as a lawyer based on cases or your opinion as a
security expert. Or indeed just a moral statement.


>

> Another reason is that it's stupid: one successful crack compromises ALL

> user accounts.



Agreed.


--
Niall Litchfield
Oracle DBA
Audit Commission UK


Received on Mon Sep 03 2001 - 05:02:15 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US