[geeklog-devel] Atom publishing

Vincent Furia vfuria at gmail.com
Thu May 29 22:30:42 EDT 2008


You have to trust the website owner.  With the any method of encryption that
we're talking about, whether one way hash or AES, it is trivial for the
owner of a website get your password.  (i.e. as the website owner I could
simply disable the hash/encryption, record the password prior to
hashing/encryption, or simply decrypt the passwords.)

-Vinny

On Thu, May 29, 2008 at 6:22 PM, Ramnath R Iyer <casual.dodo at gmail.com>
wrote:

> On Thursday 29 May 2008 17:34:02 Vincent Furia wrote:
> > Why encrypt the web services password at all?  There is a good chance, if
> > an attacker has access to your database he has access to your filesystem
> > (and the encryption key).  Additionally, what a person can do from a
> third
> > party web site should be limited for security reasons anyway.
>
> One good reason for encrypting the password is to prevent the website owner
> from knowing the user's passwords. For example, the user might be using the
> same password for many mail accounts too.
>
> --
> Ramnath R Iyer
>
> > -Vinny
> >
> > On Thu, May 29, 2008 at 3:19 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
> > > Dunno, pick a place.  a .txt file on the file system?!?  In that case
> the
> > > system would want to ensure the .txt file is locked down
> permission-wise.
> > >
> > > I think your point is where ever we store it we'd better lock it down
> > > best as we can.  Couldn't agree more.
> > >
> > > --Tony
> > >
> > > ----- Original Message ----
> > > From: Joe Mucchiello <joe at ThrowingDice.com>
> > > To: Geeklog Development <geeklog-devel at lists.geeklog.net>
> > > Sent: Thursday, May 29, 2008 3:37:24 PM
> > > Subject: Re: [geeklog-devel] Atom publishing
> > >
> > > Where do you store the cipher key?
> > >
> > > At 04:09 PM 5/29/2008, Tony Bibbs wrote:
> > > >That said, my original question is still valid.  If we stored a
> > > >password encrypted some 2-way cipher in the DB you could
> > >
> > > ----
> > > Joe Mucchiello
> > > Throwing Dice Games
> > > http://www.throwingdice.com
> > >
> > > _______________________________________________
> > > geeklog-devel mailing list
> > > geeklog-devel at lists.geeklog.net
> > > http://eight.pairlist.net/mailman/listinfo/geeklog-devel
> > >
> > >
> > >
> > > _______________________________________________
> > > geeklog-devel mailing list
> > > geeklog-devel at lists.geeklog.net
> > > http://eight.pairlist.net/mailman/listinfo/geeklog-devel
> --
> Ramnath R Iyer
> Cornell University
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20080529/8eebf3e4/attachment.html>


More information about the geeklog-devel mailing list