Am 29.10.2015 um 18:08 schrieb Frederic Da Vitoria:
I'd even ask the question: do you really need to store the
passwords? IOW, do you want to be able to send them back to the user? Or
do you only need to check them?

My latest access system does not use passwords at all. The server sends the users an email, they must click on a link inside. With password there would have to be a plan B in case users forget a password. This is typically insecurity-questions, or an email with a link for a password reset. This means that whoever can access the emails, can gain access anyway. Thus using this as primary access method does not reduce recurity. I would argue that in most cases it even improves it.

The best way to store passwords is to not store passwords, not even hashes.
_______________________________________________
fpc-pascal maillist  -  fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Reply via email to