[geeklog-devel] Atom publishing
Ramnath R Iyer
casual.dodo at gmail.com
Thu May 29 23:16:44 EDT 2008
On Thursday 29 May 2008 22:30:42 Vincent Furia wrote:
> You have to trust the website owner. With the any method of encryption
> that we're talking about, whether one way hash or AES, it is trivial for
> the owner of a website get your password. (i.e. as the website owner I
> could simply disable the hash/encryption, record the password prior to
> hashing/encryption, or simply decrypt the passwords.)
I could send my password to Yahoo trusting that the password won't be
intercepted and stored, but I wouldn't want some random Yahoo employee who
has access to the db to know my password. It really depends on the
situation...
--
Ramnath R Iyer
> -Vinny
>
> On Thu, May 29, 2008 at 6:22 PM, Ramnath R Iyer <casual.dodo at gmail.com>
>
> wrote:
> > On Thursday 29 May 2008 17:34:02 Vincent Furia wrote:
> > > Why encrypt the web services password at all? There is a good chance,
> > > if an attacker has access to your database he has access to your
> > > filesystem (and the encryption key). Additionally, what a person can
> > > do from a
> >
> > third
> >
> > > party web site should be limited for security reasons anyway.
> >
> > One good reason for encrypting the password is to prevent the website
> > owner from knowing the user's passwords. For example, the user might be
> > using the same password for many mail accounts too.
> >
> > --
> > Ramnath R Iyer
> >
> > > -Vinny
> > >
> > > On Thu, May 29, 2008 at 3:19 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
> > > > Dunno, pick a place. a .txt file on the file system?!? In that case
> >
> > the
> >
> > > > system would want to ensure the .txt file is locked down
> >
> > permission-wise.
> >
> > > > I think your point is where ever we store it we'd better lock it down
> > > > best as we can. Couldn't agree more.
> > > >
> > > > --Tony
> > > >
> > > > ----- Original Message ----
> > > > From: Joe Mucchiello <joe at ThrowingDice.com>
> > > > To: Geeklog Development <geeklog-devel at lists.geeklog.net>
> > > > Sent: Thursday, May 29, 2008 3:37:24 PM
> > > > Subject: Re: [geeklog-devel] Atom publishing
> > > >
> > > > Where do you store the cipher key?
> > > >
> > > > At 04:09 PM 5/29/2008, Tony Bibbs wrote:
> > > > >That said, my original question is still valid. If we stored a
> > > > >password encrypted some 2-way cipher in the DB you could
> > > >
> > > > ----
> > > > Joe Mucchiello
> > > > Throwing Dice Games
> > > > http://www.throwingdice.com
> > > >
> > > > _______________________________________________
> > > > geeklog-devel mailing list
> > > > geeklog-devel at lists.geeklog.net
> > > > http://eight.pairlist.net/mailman/listinfo/geeklog-devel
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > geeklog-devel mailing list
> > > > geeklog-devel at lists.geeklog.net
> > > > http://eight.pairlist.net/mailman/listinfo/geeklog-devel
> >
> > --
> > Ramnath R Iyer
> > Cornell University
> >
> > _______________________________________________
> > geeklog-devel mailing list
> > geeklog-devel at lists.geeklog.net
> > http://eight.pairlist.net/mailman/listinfo/geeklog-devel
--
Ramnath R Iyer
Cornell University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20080529/b7f22f73/attachment.sig>
More information about the geeklog-devel
mailing list