[Chugalug] Why you don't store passwords, explained
dave at brockmans.com
Tue Nov 5 22:56:45 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 11/5/2013 5:24 PM, Stephen Kraus wrote:
> Um, correct me if I'm wrong, but a back end for a licensing server
> for your products should have the usernames and passwords
> associated with the keys stored....how else would you associate an
> account with its users data?
OK, you are wrong. There is no need to store anything but a hash
value, salted preferred. There is absolutely zero reason for the
licensing server to know my password. You associate with the serial
number of the product, tied to an email address, authenticated by the
user by comparing the hash. At no point does the password need to be
stored on the back-end server.
> And correct me if I'm wrong but if I (Sagan forbid) lose the
> password associated with a very expensive product key, there had
> better be a recovery route.
Again, very easily accomplished. That's the reason why your password
can be "reset", but you can't be told what the current value is.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Chugalug