[Tutor] How to obfuscate a database password.
Max Noel
maxnoel_fr at yahoo.fr
Wed Apr 20 02:41:19 CEST 2005
On Apr 20, 2005, at 01:29, Danny Yoo wrote:
>
>
>>> Is there a convention for obfuscating database passwords?
>
> Hi David,
>
> Most people run passwords through some sort of hashing function. That
> is,
> databases almost never contain passwords in the clear, but instead
> store
> the hashes of those passwords.
>
> For example, I am almost positive that Amazon does not store its user's
> passwords in the clear. *grin*
The problem is, if I understood David's problem correctly, what he
wants is a way to store a password to a database in his program (or a
data file, or whatever), so that the program can access it without
asking the user for a password.
And as far as I know, there is no reliable way to do that. Since the
program has to at some point decrypt the password, there are countless
ways of intercepting it (including but not limited to reading the
source code and sniffing the connection the program establishes to the
DB).
> Storing clear-text passwords would be terrible from a security point of
> view, since some people, despite being warned, use the same password
> for
> everything that they do.
I think you can safely s/some/most/ on this one :D
-- Max
maxnoel_fr at yahoo dot fr -- ICQ #85274019
"Look at you hacker... A pathetic creature of meat and bone, panting
and sweating as you run through my corridors... How can you challenge a
perfect, immortal machine?"
More information about the Tutor
mailing list