Re: How to deal with password

From: Philip Lijnzaad <lijnzaad_at_ebi.ac.uk>
Date: 25 Sep 2000 17:32:21 +0100
Message-ID: <u73dioh1pm.fsf_at_o2-3.ebi.ac.uk>

> We have a web system, and in our database a member has an account and a
> password, now what I need to know is how can I store the password so that
> even the administrator's can not see it?

Well ... the web server will get the password as plain text anyway, so if the DBA has the same priviliges as w3nobody or root, then you can't hide it.

If not, have the server encrypt the plaintext password straight away with a decent crypto (IDEA, MD5, triple-DES), and store it in the database. To authenticate a user, all you need to do is to compare the typed-in (and encrypted) password with the known (and encrypted) password in the database. The only drawback is that you can't tell users their password in case they forget. If they do, you can only reset it to a password you choose (a fixed or random one), then mail it to them and tell them to change it.

ps: make sure the web server uses SSL or so to obtain the password from the

browser, otherwise the password is visible in transit.

-- 
When C++ is your hammer, everything looks like a thumb. (Steven Haflich)
-----------------------------------------------------------------------------
Philip Lijnzaad, lijnzaad_at_ebi.ac.uk \ European Bioinformatics Institute,rm A2-24
+44 (0)1223 49 4639                 / Wellcome Trust Genome Campus, Hinxton
+44 (0)1223 49 4468 (fax)           \ Cambridgeshire CB10 1SD,  GREAT BRITAIN
PGP fingerprint: E1 03 BF 80 94 61 B6 FC  50 3D 1F 64 40 75 FB 53

Received on Mon Sep 25 2000 - 18:32:21 CEST

This message: [ Message body ]
Next message: Yiorgos Adamopoulos: "Re: How to deal with password"
In reply to ASA GSI: "How to deal with password"
Next in thread: Yiorgos Adamopoulos: "Re: How to deal with password"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message