[Chugalug] Why you don't store passwords, explained

Dave Brockman dave at brockmans.com
Tue Nov 5 22:56:45 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/5/2013 5:24 PM, Stephen Kraus wrote:
> Um, correct me if I'm wrong, but a back end for a licensing server
> for your products should have the usernames and passwords
> associated with the keys stored....how else would you associate an
> account with its users data?

OK, you are wrong.  There is no need to store anything but a hash
value, salted preferred.  There is absolutely zero reason for the
licensing server to know my password.  You associate with the serial
number of the product, tied to an email address, authenticated by the
user by comparing the hash.  At no point does the password need to be
stored on the back-end server.

> And correct me if I'm wrong but if I (Sagan forbid) lose the
> password associated with a very expensive product key, there had
> better be a recovery route.

Again, very easily accomplished.  That's the reason why your password
can be "reset", but you can't be told what the current value is.

Regards,

dtb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSeXetAAoJEMP+wtEOVbcddJMH/0hvDT3CyD9xcyknZO6NOGaP
slT7XjJrrMVACesIvbwGYPv66Fvgq31B8YV/KL5pLLOqn3FSL3mI/Mwn8E1Mfh+C
qBTfZ7qLFxZWKucLdx8CC4ARymMVVjevUTUNSPHX3f7Bmnc13uOCY9A8mGrvA229
k4nTptZgZL8St7/aFZdDNsVM39k/JazDYc7pBk32PgGMg5/sg1c2wUOrxfbRmnOz
FmjW5bDBLBVAYxTI4Z1AQvMHxs55mJKdaWri4sSwEFOLCAqeF0Jy0qGcMiIsBpRK
onK2yCm8hWx7C0odOecmtvFS/IFChr/CUQCUEiupIQEIeuSg9oXONAGLfH8luAY=
=tGsZ
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list