[Zope] Reversible encryption on passwords?

Stefan H. Holek stefan@epy.co.at
Thu, 20 Mar 2003 19:26:18 +0100


Keeping private keys on connected servers is an all-around bad idea. All I=20
need to do is break into your box. Can do. ;-)

Also, password garbling schemes are intentionally one-way. Otherwise you=20
won't gain much in terms of security.

Some explanations of the issues involved can be found here:
<http://www.gnu.org/manual/glibc-2.2.5/html_node/crypt.html>

HTH,
Stefan


--On Donnerstag, 20. M=E4rz 2003 09:15 -0800 Terry Hancock=20
<hancock@anansispaceworks.com> wrote:

> Suppose I use a private key to encrypt/decrypt the password
> data for storage in the database.  The key might be stored on
> the server's filesystem or be retrieved from a more secure computer,
> but it would be used to encrypt the data for storage and then
> to decrypt it for authentication.  You could do this with public-key
> cryptography, too, but it's not clear to me that there is an
> advantage to that.

--
Those who write software only for pay should go hurt some other field.
/Erik Naggum/