[JDEV] Account information storage, plaintext?
Jamin W. Collins
jcollins at asgardsrealm.net
Mon Sep 15 12:19:12 CDT 2003
On Mon, Sep 15, 2003 at 07:37:53PM +0600, Raditha Dissanayake wrote:
>
> As others have explained the transport passwords have to be available
> in plaintext for the transports to work. However that does not mean
> that you have to store them in plain text. A small modification to
> xdb_sql or xdb_file can allow you to encrypt/decrypt passwords but
> this has to be a two way algorithm instead of a one way hash.
The use of a two way algorithm would still require the user do more than
cat the file to find the password. Why should we make it as easy as
possible for people (admins or not) to find out other people's
passwords? If anything we should be taking every possible step to do
exactly the opposite.
> btw: you will find thousands of web applications that store usernames
> and passwords in plaintext.
Simple because thousands of applications do it doesn't mean it's the
correct thing to do.
--
Jamin W. Collins
Remember, root always has a loaded gun. Don't run around with it unless
you absolutely need it. -- Vineet Kumar
More information about the JDev
mailing list