I am truly relieved that this was just a misunderstanding! -b On May 27, 2015 at 16:05 bill@herrin.us (William Herrin) wrote:
On Wed, May 27, 2015 at 1:51 PM, Barry Shein <bzs@world.std.com> wrote:
On May 27, 2015 at 10:28 bill@herrin.us (William Herrin) wrote:
On Tue, May 26, 2015 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote:
It means they are storing it unhashed which is probably what you mean.
It means they're storing it in a form that reduces to plain text without human intervention. Same difference. Encrypted at rest matters not, if all the likely attack vectors go after the data in transit.
It matters a lot. [...] The OP was correct, if they can send you your cleartext password then their security practices are inadequate, period.
Am I speaking English? I thought I was speaking English.
Unless I misunderstand what you're saying (I sort of hope I do)
Yeah, I think you probably did since I was largely agreeing with you. What I was trying to say was that there wasn't a heck of a lot of difference between storing a user's password with reversible encryption and storing it in plain text. Both are supremely unsatisfactory. Reasonable security starts by not retaining the user's password at all. Keep only the non-reversible hash.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>