Just another Perl shrine | |
PerlMonks |
Re^4: encrypt passwordsby BrowserUk (Patriarch) |
on Apr 17, 2015 at 17:40 UTC ( [id://1123797]=note: print w/replies, xml ) | Need Help?? |
A lovely sentiment, but it's a bit rose-colored. The statement only applies in a perfect world, That's garbage! Passwords do not need to be decrypted. Ever! You encrypt the password with a one-way hash and only store the hash. To verify: you accept the password from the user; encrypt it using the same one-way hash and compare the result against the stored, encrypted value. If they match; he's authorised. The password is never stored in any form that can be decrypted; and can only be discovered by encrypting every possibility and comparing them with the stored, encrypted result. That has been the simple, correct way to do things since forever. If you are handed a system where thousands of access routines managed by hundreds of non-IT folks are being used, the task of converting their access to more modernized and secure authentication techniques may not be permissible. Under those circumstances, obfuscation may be your only hope (Obi-wan).While I generally agree that the only thing worse than bad security is fake security, there are times when that's the only tool left in the toolbox. More utter twaddle. No wonder the web leaks like a sieve when the obvious is ignored by so many "experts". I can already hear sundialsvc4's skin crinkling as he cringes at all the things that will go wrong in the future when such a decision is made -- and he's right. sundialsvc4 is a joke of a programmer; and you'll do yourself no good by hitching your skirts to his wagon train. With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
I'm with torvalds on this
In the absence of evidence, opinion is indistinguishable from prejudice. Agile (and TDD) debunked
In Section
Seekers of Perl Wisdom
|
|