[Chugalug] Why you don't store passwords, explained
wes at the-wes.com
Tue Nov 5 22:29:53 UTC 2013
dave is drawing a distinction between an encrypted password and the
password's hash. it's subtle, but it's there.
On Tue, Nov 5, 2013 at 2:24 PM, Stephen Kraus <ub3ratl4sf00 at gmail.com>wrote:
> Um, correct me if I'm wrong, but a back end for a licensing server for
> your products should have the usernames and passwords associated with the
> keys stored....how else would you associate an account with its users data?
> And correct me if I'm wrong but if I (Sagan forbid) lose the password
> associated with a very expensive product key, there had better be a
> recovery route.
> On Nov 5, 2013 5:21 PM, "Dave Brockman" <dave at brockmans.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On 11/5/2013 4:07 PM, Stephen Kraus wrote:
>> > Its more 'why you don't just encrypt your password database with a
>> > broken encryption system'
>> > Hash storage is what they were supposed to do.
>> No, it's "don't store passwords, including encrypted versions of
>> passwords". Hashes != passwords. This isn't one of those
>> applications that should actually save recoverable passwords. That's
>> what KeePass is for, not Adobe's back-end licensing server(s).
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> -----END PGP SIGNATURE-----
>> Chugalug mailing list
>> Chugalug at chugalug.org
> Chugalug mailing list
> Chugalug at chugalug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug