[Chugalug] Why you don't store passwords, explained

wes wes at the-wes.com
Tue Nov 5 22:29:53 UTC 2013


dave is drawing a distinction between an encrypted password and the
password's hash. it's subtle, but it's there.

-wes


On Tue, Nov 5, 2013 at 2:24 PM, Stephen Kraus <ub3ratl4sf00 at gmail.com>wrote:

> Um, correct me if I'm wrong, but a back end for a licensing server for
> your products should have the usernames and passwords associated with the
> keys stored....how else would you associate an account with its users data?
>
> And correct me if I'm wrong but if I (Sagan forbid) lose the password
> associated with a very expensive product key, there had better be a
> recovery route.
> On Nov 5, 2013 5:21 PM, "Dave Brockman" <dave at brockmans.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 11/5/2013 4:07 PM, Stephen Kraus wrote:
>> > Its more 'why you don't just encrypt your password database with a
>> >  broken encryption system'
>> >
>> > Hash storage is what they were supposed to do.
>>
>> No, it's "don't store passwords, including encrypted versions of
>> passwords".  Hashes != passwords.  This isn't one of those
>> applications that should actually save recoverable passwords.  That's
>> what KeePass is for, not Adobe's back-end licensing server(s).
>>
>> Regards,
>>
>> dtb
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJSeWvsAAoJEMP+wtEOVbcde0IH/2FvJKNYxjuwSYNzzs2McYSE
>> NRJFUlLJqCUeEun/jUdkSvxw1auGa439Fu6vengGtcp2DUiggr19lfQrOsK6Yu4w
>> j1g4wh20ySdOMfE7Q6fZL4/akBv7A6anNdDpnul4d9vs4Qg2edj9umWbM1CK6xSs
>> PKLTnH1ZZ1Luz2vLm/dpLZtSxiUmMKuwrfE6asf6aE0OVWrJWpoUdwNpT5qT/Pnq
>> IAd0sBLVRfdbdAq6qp5LbNia32+mGc3RBAwPGCfAAVK0A9+hiAkK/9X9c4uye6kS
>> SLYf/cX+q5/2TWfTZZ6JWH52rjBU28KC2hzgc7es6saYGJgR5QIZ0x3OvC+55zs=
>> =YrVA
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20131105/8a1ce73f/attachment.html>


More information about the Chugalug mailing list