dcrespo wrote: > then, what you proppose? I'll assume that question was for me, in response to my comment that one should never store passwords in the clear.
Do you know how any other system manages to do this? Linux, for example (assuming a properly configured system)? The passwords aren't stored: hashes of the passwords are stored (with additional things thrown in to prevent certain kinds of attacks even if someone nabs the password (/etc/shadow) file). If you store the password or even encrypt it (i.e. something that can be reversed if someone knows the key), it's a risk. If you don't know about this stuff yet, I strongly suggest lots of additional research and reading prior to implementing a serious system. There are _many_ web pages to be found which discuss this sort of thing, probably including lots of tutorials for people starting on the ground floor. I bet Paul R or others more experienced in this area can point us to some excellent ones, but a little googling with "passwords store clear text" or "encrypted passwords" would get you started. I expect that would quickly lead to the term "hashing", since you really don't want to just encrypt the password: that can easily be reversed if anyone has the key, and certainly an administrator could access the key used by some random application that encrypts its passwords. The first few hits for that last search seem to include pages that introduce the concept of "salt", one of the "additional things" I mentioned above. I'm not going to try to give a tutorial: I'm not nearly expert enough to be trusted for that. :-) I just wanted to warn against one of the most basic and easily avoidable problems. -Peter -- http://mail.python.org/mailman/listinfo/python-list
