[Chugalug] Why you don't store passwords, explained

Dave Brockman dave at brockmans.com
Tue Nov 5 22:58:10 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/5/2013 5:29 PM, Stephen Kraus wrote:
> Let me clarify: the hashes are associated with the seperate
> usernames and passwords on a seperate database

No, at no point does my password need to be in ANY database.  The
appliation needs to know how to recreate the hash, salt to taste, and
compare that to what is stored in its tables.  If they match, you are
good.  If they do not, you entered the wrong password.

Regards,

dtb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSeXgCAAoJEMP+wtEOVbcd9k0H/iNQurKdEhWyXvN22vuiKNYh
M8d2sg3UX88ryHKB8AbubsDgs0Wy8NWAK5ZoA5eCtob5csvQuUHowcrZjp4gTP8o
f9Nc/tm1mSbaluKbArX+S2aJYLIVn1w399psV3EVW+/XmvwXNGZJ/SZOhHicaLYX
3jGRdvxx2Dt6C6Kd7AC+I4XV3H1qiGqrhqaeu1bO44iGKU682wLtbDx5+g4ymPdn
Z9c7IM1865qGaVIlczcqeeunrGYbcV6OJvwb+KER/S8gntW4VKXcO276+EfdvpKn
K1cTvnBh1FTE34goiFro8bIxWp6fzUtGkZZuLufTqiZ+w3UwGyVpXTbMoVM7vKI=
=jlEe
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list