2015-10-30 0:33 GMT+01:00 <wkitt...@windstream.net>: > On 10/29/2015 01:08 PM, Frederic Da Vitoria wrote: > >> Good point. I'd even ask the question: do you really need to store the >> passwords? IOW, do you want to be able to send them back to the user? Or >> do >> you only need to check them? >> > > in the use case being studied, passwords can only be compared or reset... >
Do you really need to compare them or simply to validate them? I ask because in one project I worked on for an insurance company, we were forbidden to store the passwords. We stored only a kind of checksum for them. With something like CRC32 or even a higher resolution algorithm, you can efficiently check that the password is correct (with really low chances of false positives), minimize the storage space required and completely eradicate the possibility that someone will get the actual passwords from your database. This could be relevant if this is for a web site, many people use the same password on all the web sites so that if their password is revealed on one site, they would need to change all their passwords. -- Frederic Da Vitoria (davitof) Membre de l'April - « promouvoir et défendre le logiciel libre » - http://www.april.org
_______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
