I am truly relieved that this was just a misunderstanding! -b
On May 27, 2015 at 16:05 b...@herrin.us (William Herrin) wrote: > On Wed, May 27, 2015 at 1:51 PM, Barry Shein <b...@world.std.com> wrote: > > On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote: > > > On Tue, May 26, 2015 at 4:10 PM, Scott Howard <sc...@doc.net.au> wrote: > > > > It means they are storing it unhashed > > > > which is probably what you mean. > > > > > > It means they're storing it in a form that reduces to plain text > > > without human intervention. Same difference. Encrypted at rest matters > > > not, if all the likely attack vectors go after the data in transit. > > > > It matters a lot. [...] > > The OP was correct, if they can send you your cleartext password then > > their security practices are inadequate, period. > > Am I speaking English? I thought I was speaking English. > > > > Unless I misunderstand what you're saying (I sort of hope I do) > > Yeah, I think you probably did since I was largely agreeing with you. > What I was trying to say was that there wasn't a heck of a lot of > difference between storing a user's password with reversible > encryption and storing it in plain text. Both are supremely > unsatisfactory. Reasonable security starts by not retaining the user's > password at all. Keep only the non-reversible hash. > > Regards, > Bill Herrin > > -- > William Herrin ................ her...@dirtside.com b...@herrin.us > Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
