Password Storage Pattern
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Steven_Martin
Posted On:   Wednesday, August 21, 2002 07:19 AM

My code needs to keep the encrypted version of a user's password in memory. Since we require the text version of the password SecretKey makes the most sense to encrypt and decrypt the password.



My question is should I keep the simple API getPassword to call the decryption algorithm and return the plaintext or require that the key is passed to the getPassword method or at least a decryption interface? The latter would limit the ability of a malicious program from traversing the code revealing all passwords or programmer's error.

I would prefer to keep this a certificate free implementation.

thanks,
Steven

Re: Password Storage Pattern

Posted By:   Eugene_Kuleshov  
Posted On:   Thursday, August 22, 2002 02:14 AM

Better you read the Security FAQ on this site first.

Never encrypt your passwords, buy use digest instead. Then your API may look like checkPassword( testPassword:String):boolean
About | Sitemap | Contact