[Chugalug] Why you don't store passwords, explained

William Roush william.roush at roushtech.net
Wed Nov 6 00:17:58 UTC 2013


Pfft, you're lucky they're not in plain-text.

William Roush
william.roush at roushtech.net

http://www.roushtech.net/blog/


On 11/5/2013 5:56 PM, Dave Brockman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/5/2013 5:24 PM, Stephen Kraus wrote:
>> Um, correct me if I'm wrong, but a back end for a licensing server
>> for your products should have the usernames and passwords
>> associated with the keys stored....how else would you associate an
>> account with its users data?
> OK, you are wrong.  There is no need to store anything but a hash
> value, salted preferred.  There is absolutely zero reason for the
> licensing server to know my password.  You associate with the serial
> number of the product, tied to an email address, authenticated by the
> user by comparing the hash.  At no point does the password need to be
> stored on the back-end server.
>
>> And correct me if I'm wrong but if I (Sagan forbid) lose the
>> password associated with a very expensive product key, there had
>> better be a recovery route.
> Again, very easily accomplished.  That's the reason why your password
> can be "reset", but you can't be told what the current value is.
>
> Regards,
>
> dtb
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSeXetAAoJEMP+wtEOVbcddJMH/0hvDT3CyD9xcyknZO6NOGaP
> slT7XjJrrMVACesIvbwGYPv66Fvgq31B8YV/KL5pLLOqn3FSL3mI/Mwn8E1Mfh+C
> qBTfZ7qLFxZWKucLdx8CC4ARymMVVjevUTUNSPHX3f7Bmnc13uOCY9A8mGrvA229
> k4nTptZgZL8St7/aFZdDNsVM39k/JazDYc7pBk32PgGMg5/sg1c2wUOrxfbRmnOz
> FmjW5bDBLBVAYxTI4Z1AQvMHxs55mJKdaWri4sSwEFOLCAqeF0Jy0qGcMiIsBpRK
> onK2yCm8hWx7C0odOecmtvFS/IFChr/CUQCUEiupIQEIeuSg9oXONAGLfH8luAY=
> =tGsZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



More information about the Chugalug mailing list