General Password questions

G.A. gafStopSpamData at ziplink.stopallspam.net
Tue Sep 30 22:23:59 CEST 2003


On Tue, 23 Sep 2003 18:02:37 +0200, Riccardo Attilio Galli
<riquito at riquito.matrix> wrote:

>english). An user should never enter the password again. I know how hashes
>work, and they're useful when I can compare an entered password with an
>hash value, but here I need that the user don't enter a password anymore
>(after the first time).

Better late than never:  The only way to do this securely is to rely on the
operating system's security, and even that isn't always possible.  I think
the NT/W2K model allows for encryption based on keys that only the specific
user can use (i.e. you have to actually be logged in as that user; I'm not
sure if the adminstrator can fake it).  This won't work on 9X.  On UNIX, a
close approximation is to just store the password in a file to which only
the user has read access, but obviously root will still have access.

Note that if the application supports multiple mail accounts for a single
user (as many do), then it becomes useful to have a single password for the
application, used to encrypt the various passwords for the different mail
accounts.

Gary




More information about the Python-list mailing list