[geeklog-devel] Atom publishing

[Ramnath R Iyer]

On Thursday 29 May 2008 22:30:42 Vincent Furia wrote:

> You have to trust the website owner.  With the any method of encryption

> that we're talking about, whether one way hash or AES, it is trivial for

> the owner of a website get your password.  (i.e. as the website owner I

> could simply disable the hash/encryption, record the password prior to

> hashing/encryption, or simply decrypt the passwords.)


I could send my password to Yahoo trusting that the password won't be 
intercepted and stored, but I wouldn't want some random Yahoo employee who 
has access to the db to know my password. It really depends on the 
situation...

--
Ramnath R Iyer


> -Vinny

>

> On Thu, May 29, 2008 at 6:22 PM, Ramnath R Iyer <casual.dodo at gmail.com>

>

> wrote:

> > On Thursday 29 May 2008 17:34:02 Vincent Furia wrote:

> > > Why encrypt the web services password at all?  There is a good chance,

> > > if an attacker has access to your database he has access to your

> > > filesystem (and the encryption key).  Additionally, what a person can

> > > do from a

> >

> > third

> >

> > > party web site should be limited for security reasons anyway.

> >

> > One good reason for encrypting the password is to prevent the website

> > owner from knowing the user's passwords. For example, the user might be

> > using the same password for many mail accounts too.

> >

> > --

> > Ramnath R Iyer

> >

> > > -Vinny

> > >

> > > On Thu, May 29, 2008 at 3:19 PM, Tony Bibbs <tony at tonybibbs.com> wrote:

> > > > Dunno, pick a place.  a .txt file on the file system?!?  In that case

> >

> > the

> >

> > > > system would want to ensure the .txt file is locked down

> >

> > permission-wise.

> >

> > > > I think your point is where ever we store it we'd better lock it down

> > > > best as we can.  Couldn't agree more.

> > > >

> > > > --Tony

> > > >

> > > > ----- Original Message ----

> > > > From: Joe Mucchiello <joe at ThrowingDice.com>

> > > > To: Geeklog Development <geeklog-devel at lists.geeklog.net>

> > > > Sent: Thursday, May 29, 2008 3:37:24 PM

> > > > Subject: Re: [geeklog-devel] Atom publishing

> > > >

> > > > Where do you store the cipher key?

> > > >

> > > > At 04:09 PM 5/29/2008, Tony Bibbs wrote:

> > > > >That said, my original question is still valid.  If we stored a

> > > > >password encrypted some 2-way cipher in the DB you could

> > > >

> > > > ----

> > > > Joe Mucchiello

> > > > Throwing Dice Games

> > > > http://www.throwingdice.com

> > > >

> > > > _______________________________________________

> > > > geeklog-devel mailing list

> > > > geeklog-devel at lists.geeklog.net

> > > > http://eight.pairlist.net/mailman/listinfo/geeklog-devel

> > > >

> > > >

> > > >

> > > > _______________________________________________

> > > > geeklog-devel mailing list

> > > > geeklog-devel at lists.geeklog.net

> > > > http://eight.pairlist.net/mailman/listinfo/geeklog-devel

> >

> > --

> > Ramnath R Iyer

> > Cornell University

> >

> > _______________________________________________

> > geeklog-devel mailing list

> > geeklog-devel at lists.geeklog.net

> > http://eight.pairlist.net/mailman/listinfo/geeklog-devel




-- 
Ramnath R Iyer
Cornell University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : <http://eight.pairlist.net/pipermail/geeklog-devel/attachments/20080529/b7f22f73/attachment.pgp>