[Chugalug] Why you don't store passwords, explained

wes wes at the-wes.com
Tue Nov 5 22:34:19 UTC 2013


the passwords themselves don't need to be stored at all. just have the
username and its password hash along with its license info and you're done.

as for recovery, if the password's been lost by the user, having it stored
in the DB isn't going to do anyone any good. it's not like we should
decrypt it for them and send it to them in an email....

-wes


On Tue, Nov 5, 2013 at 2:29 PM, Stephen Kraus <ub3ratl4sf00 at gmail.com>wrote:

> Let me clarify: the hashes are associated with the seperate usernames and
> passwords on a seperate database
>  On Nov 5, 2013 5:24 PM, "Stephen Kraus" <ub3ratl4sf00 at gmail.com> wrote:
>
>> Um, correct me if I'm wrong, but a back end for a licensing server for
>> your products should have the usernames and passwords associated with the
>> keys stored....how else would you associate an account with its users data?
>>
>> And correct me if I'm wrong but if I (Sagan forbid) lose the password
>> associated with a very expensive product key, there had better be a
>> recovery route.
>> On Nov 5, 2013 5:21 PM, "Dave Brockman" <dave at brockmans.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 11/5/2013 4:07 PM, Stephen Kraus wrote:
>>> > Its more 'why you don't just encrypt your password database with a
>>> >  broken encryption system'
>>> >
>>> > Hash storage is what they were supposed to do.
>>>
>>> No, it's "don't store passwords, including encrypted versions of
>>> passwords".  Hashes != passwords.  This isn't one of those
>>> applications that should actually save recoverable passwords.  That's
>>> what KeePass is for, not Adobe's back-end licensing server(s).
>>>
>>> Regards,
>>>
>>> dtb
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.17 (MingW32)
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQEcBAEBAgAGBQJSeWvsAAoJEMP+wtEOVbcde0IH/2FvJKNYxjuwSYNzzs2McYSE
>>> NRJFUlLJqCUeEun/jUdkSvxw1auGa439Fu6vengGtcp2DUiggr19lfQrOsK6Yu4w
>>> j1g4wh20ySdOMfE7Q6fZL4/akBv7A6anNdDpnul4d9vs4Qg2edj9umWbM1CK6xSs
>>> PKLTnH1ZZ1Luz2vLm/dpLZtSxiUmMKuwrfE6asf6aE0OVWrJWpoUdwNpT5qT/Pnq
>>> IAd0sBLVRfdbdAq6qp5LbNia32+mGc3RBAwPGCfAAVK0A9+hiAkK/9X9c4uye6kS
>>> SLYf/cX+q5/2TWfTZZ6JWH52rjBU28KC2hzgc7es6saYGJgR5QIZ0x3OvC+55zs=
>>> =YrVA
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20131105/22b70a69/attachment.html>


More information about the Chugalug mailing list