tsb95
/
StanfordMLOctave
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
StanfordMLOctave/machine-learning-ex6/ex6/easy_ham/1500.2e6e497d8947d6125050b8...

102 lines
3.7 KiB
Plaintext
Raw Blame History

From dwheeler@ida.org Tue Sep 3 17:20:20 2002
Return-Path: <dwheeler@ida.org>
Delivered-To: yyyy@localhost.example.com
Received: from localhost (jalapeno [127.0.0.1])
by jmason.org (Postfix) with ESMTP id 7C6BB16F69
for <jm@localhost>; Tue, 3 Sep 2002 17:20:19 +0100 (IST)
Received: from jalapeno [127.0.0.1]
by localhost with IMAP (fetchmail-5.9.0)
for jm@localhost (single-drop); Tue, 03 Sep 2002 17:20:19 +0100 (IST)
Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com
[66.38.151.26]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id
g83G4ZZ26141 for <jm@jmason.org>; Tue, 3 Sep 2002 17:04:36 +0100
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id
326048F2CD; Tue, 3 Sep 2002 09:00:08 -0600 (MDT)
Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <secprog.list-id.securityfocus.com>
List-Post: <mailto:secprog@securityfocus.com>
List-Help: <mailto:secprog-help@securityfocus.com>
List-Unsubscribe: <mailto:secprog-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:secprog-subscribe@securityfocus.com>
Delivered-To: mailing list secprog@securityfocus.com
Delivered-To: moderator for secprog@securityfocus.com
Received: (qmail 21914 invoked from network); 30 Aug 2002 14:21:06 -0000
Message-Id: <3D6F8139.8040106@ida.org>
Date: Fri, 30 Aug 2002 10:29:13 -0400
From: David Wheeler <dwheeler@ida.org>
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.4.1)
Gecko/20020518 Netscape6/6.2.3
X-Accept-Language: en-us
MIME-Version: 1.0
To: Giorgio Zoppi <deneb@penguin.it>, secprog@securityfocus.com
Subject: Re: Storing passwords
References: <3D66376D.4000809@ida.org> <20020827122630.D7017@cli.di.unipi.it>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=-13.1 required=7.0
tests=EMAIL_ATTRIBUTION,KNOWN_MAILING_LIST,QUOTED_EMAIL_TEXT,
REFERENCES,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_03_05,
USER_AGENT,X_ACCEPT_LANG
version=2.41-cvs
X-Spam-Level:
If you need to store a database password, then
clearly the first step is to store the text outside the
web tree. You can encrypt it and store the encryption key elsewhere,
so that at least an attacker has to get two different things.
Also, don't get full privileges - create a user account that
is GRANTed very limited access.
However, you can often do better than this if security
is critical. Create a separate program which has these
database keys (as noted above), and make the web program
contact IT. Create a very limited protocol that ONLY
lets you do the operations you need (you can add specific
operations later). There's a performance hit, which you're
trading for improved data isolation.
Giorgio Zoppi wrote:
> On Fri, Aug 23, 2002, David Wheeler wrote:
>
>
>>The standard way to store passwords is... not to
>>store passwords. Instead, store a salted hash of
>>the password in a database. When you get a purported
>>password, you re-salt it, compute the hash, and
>>determine if they are the same. This is how
>>Unix has done it for years. You want bigger hashes
>>and salts than the old Unix systems, and you still want
>>to prevent reading from those files (to foil password crackers).
>>More info is in my book at:
>> http://www.dwheeler.com/secure-programs
>>
>
> Well...but this cannot be applied to database password, which most
> web apps use. The only solution I figure is store in clear outside web
> tree, any other ideas feasible?
>
> Ciao,
> Giorgio.
>
> --
> Never is Forever - deneb@penguin.it
> Homepage: http://www.cli.di.unipi.it/~zoppi/index.html
> --
>
>
>
--
--- David A. Wheeler
dwheeler@ida.org
Reference in New Issue View Git Blame Copy Permalink