Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?

Re: How should passwords be stored in a database?

From: Niall Litchfield <n-litchfield_at_audit-commission.gov.uk>
Date: Wed, 5 Sep 2001 12:46:24 +0100
Message-ID: <3b96109a$0$236$ed9e5944@reading.news.pipex.net> 





"Colin McKinnon" <colin_at_EditMeOutUnlessYoureABot.wew.co.uk> wrote in message
news:q562n9.ukg.ln_at_Lonmay.wew.co.uk...


<snip>


> > > It's also very, very wrong. Storing passwords in the clear should

NEVER



> > > be done by a server under ANY circumstances, PERIOD. One reason I

> already

> > > gave: users reuse passwords. If you store a person's password, and it

> > > happens to be the same as his Net Banking password, YOU share

> culpability

> > > for misuse of that information resulting from compromise of your

> security.

> >

> > Is that your opinion as a lawyer based on cases or your opinion as a

> > security expert. Or indeed just a moral statement.

>

> In the UK:

> I believe the 1998 Data Protection Act, BS7799, and the Human Rights Act

> apply. The programmer could well be held responsible by the courts if it

can


> be proven that he/she has chosen NOT to implement good security practice

> without substantial grounds.




I think it would be interesting to see this in a case. Certainly as well the
data protection Act which does state "Appropriate technical and
organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of,
or damage to, personal data" holds the Data protection officer of the
company rather than the programmers responsible. I guess the Bristish
standard would only be used as evidence as it has no legal force, and the
Human rights act certainly hasn't been used yet. Never the less the scenario
was that a company was liable not for damages caused by hacking of its data
(for example if i kept all the address records of a classic car club) but
for the consequential loss when it is discovered that as well as being a
member of my car club Lord Montague has used the same password for his
Lloyds bank savings account and so a hacker can steal all his millions. I'd
be surprised if the courts would necessarily hold me responsible for this
consequential loss, or to the extent it would be mitigated by the users
contributory negligence.



In essence my question is not is the advice good, it undoubtedly is, but is
the suggestion as to the legal consequences backed up by legal experience
(and as a supplementary in which jurisdiction).


>

> Leaving aside the legal stuff - yes, it is your fault if your data gets

> cracked because you didn't put adequate security in place.




Morally and from a security standpoint I agree entirely.


>

> > Oracle DBA

> > Audit Commission UK

>

> hmmm.




Care to elaborate off list if necessary?



--
Niall Litchfield
Oracle DBA
Audit Commission UK


Received on Wed Sep 05 2001 - 06:46:24 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US