[Chugalug] Why you don't store passwords, explained

Stephen Kraus ub3ratl4sf00 at gmail.com
Tue Nov 5 22:24:35 UTC 2013


Um, correct me if I'm wrong, but a back end for a licensing server for your
products should have the usernames and passwords associated with the keys
stored....how else would you associate an account with its users data?

And correct me if I'm wrong but if I (Sagan forbid) lose the password
associated with a very expensive product key, there had better be a
recovery route.
On Nov 5, 2013 5:21 PM, "Dave Brockman" <dave at brockmans.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/5/2013 4:07 PM, Stephen Kraus wrote:
> > Its more 'why you don't just encrypt your password database with a
> >  broken encryption system'
> >
> > Hash storage is what they were supposed to do.
>
> No, it's "don't store passwords, including encrypted versions of
> passwords".  Hashes != passwords.  This isn't one of those
> applications that should actually save recoverable passwords.  That's
> what KeePass is for, not Adobe's back-end licensing server(s).
>
> Regards,
>
> dtb
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSeWvsAAoJEMP+wtEOVbcde0IH/2FvJKNYxjuwSYNzzs2McYSE
> NRJFUlLJqCUeEun/jUdkSvxw1auGa439Fu6vengGtcp2DUiggr19lfQrOsK6Yu4w
> j1g4wh20ySdOMfE7Q6fZL4/akBv7A6anNdDpnul4d9vs4Qg2edj9umWbM1CK6xSs
> PKLTnH1ZZ1Luz2vLm/dpLZtSxiUmMKuwrfE6asf6aE0OVWrJWpoUdwNpT5qT/Pnq
> IAd0sBLVRfdbdAq6qp5LbNia32+mGc3RBAwPGCfAAVK0A9+hiAkK/9X9c4uye6kS
> SLYf/cX+q5/2TWfTZZ6JWH52rjBU28KC2hzgc7es6saYGJgR5QIZ0x3OvC+55zs=
> =YrVA
> -----END PGP SIGNATURE-----
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20131105/16672d2d/attachment.html>


More information about the Chugalug mailing list