Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How should passwords be stored in a database?

Re: How should passwords be stored in a database?

From: Bernd Eckenfels <ecki_at_lina.inka.de>
Date: 2 Sep 2001 10:55:30 GMT
Message-ID: <9mt372$4mc$1@sapa.inka.de> 





In comp.security.unix lbudney-usenet_at_nb.net wrote:


> No he's not. He's referring to things like: passwords for access to web-

> based services. They're usually stored in the clear inside the DB, since

> the web developers don't know what they're doing.




Well, if you are using Challenge-Response Authentication then you need to
store the password in clear.



> being compromised, but because people reuse passwords. For the people who

> are compromised in this way, NONE of their accounts should be considered

> safe. So the site maintainer is guilty of a major breach of privacy against

> his own users.




Of course using hashed passwords does not mean an intrder cannot insall a
trojan, so using secure passwords is not as important as one might think.
Especially since the DB can be protected independendly from the Web
Application and the tool verifying the passwords does not need to hand them
out



Greetings


Bernd
Received on Sun Sep 02 2001 - 05:55:30 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US