On 11/1/2015 7:50 PM, Anthony Walter wrote:
Ideally you shouldn't store passwords at all. You store the hash to
the password. In this way, someone at your business, or someone with
access to your business, or if someone mistakenly installs some
malicious software, your users passwords can never be retrieved.
When someone logs into your software/site they send their password.
Your server then converts that password to a hash and compares it to a
hash associated with their account, and the password then goes away.
No one can steal your customer password list since they are never
stored and thus cannot be compromised.
The downside of that approach however is that it this opens up the
possibility to create a matching hash on "inappropriate" passwords (too
short, easy to look up/guess) and hence get access...
Ralf
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
