Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?
Niall Litchfield <n-litchfield_at_audit-commission.gov.uk> wrote in message
news:3b935530$0$236$ed9e5944_at_reading.news.pipex.net...
> <lbudney-usenet_at_nb.net> wrote in message
> news:m3k7zh6bea.fsf_at_peregrine.swoop.local...
> > That's incorrect. See <http://www-cs-students.stanford.edu/~tjw/srp/>.
>
> So what if I don't want to use this
>
> > It's also very, very wrong. Storing passwords in the clear should NEVER
> > be done by a server under ANY circumstances, PERIOD. One reason I
already
> > gave: users reuse passwords. If you store a person's password, and it
> > happens to be the same as his Net Banking password, YOU share
culpability
> > for misuse of that information resulting from compromise of your
security.
>
> Is that your opinion as a lawyer based on cases or your opinion as a
> security expert. Or indeed just a moral statement.
In the UK:
I believe the 1998 Data Protection Act, BS7799, and the Human Rights Act
apply. The programmer could well be held responsible by the courts if it can
be proven that he/she has chosen NOT to implement good security practice
without substantial grounds.
Leaving aside the legal stuff - yes, it is your fault if your data gets cracked because you didn't put adequate security in place.
> Oracle DBA
> Audit Commission UK
hmmm.
Colin Received on Tue Sep 04 2001 - 04:20:53 CDT