storing passwords

storing passwords

Post by Ron Peters » Mon, 11 Dec 2000 10:37:25

I'd like to propose the unthinkable, to see what people think.

I have been considering the possibility of storing passwords in a
PostgreSQL database.  Unencrypted.

Boo Hiss.  I know, I know...

But consider.  In an environment with multiple architectures, and
multiple applications, with many users, password management is
difficult, at best.

Solutions like LDAP are a step in the right direction, but until there
is widespread support of this standard, it is only a partial
solution.  Besides which, my preferred implementation, OpenLDAP, has
yet to fully support SASL.  (LDAP => SASL yes, SASL => LDAP no).

In addition to the problem of the need to distribute authentication
credentials, there is the small matter of simply *remembering* lots of
different passwords.  We're all told: "Don't write them down, but make
them impossible to crack."  Which might be fine if there you only had
one or two passwords to remember.  But I'd hazard to guess I have some
dozens of passwords I need to know.  Some I use frequently, some not.
I try to minimize, but that's not always something I can control.

So yes, I do physically record my passwords.  Truth be told, they are
in a file on my computer, to which only I have access.  There, now you
know.  Hack me to bits.  I don't know how else to manage this problem.

So I've been thinking about doing something like the following.
Against my better judgement, which is why I'm writing this damnable
expose of my ignorance.  Disabuse me, please.  Am I completely nuts,
or could something like the following work?

In a multi-user environment, allow people to change their password via
a web form.  Via https, of course.  Store the password, *unencrypted*,
in PostgreSQL.  Run scripts to distribute updates to necessary
locations.  Maybe crypt, maybe md5, maybe sha, as required.  Via
secure channels, of course.

I cringe as I await your response...



1. Password protection - don't want to store password as plain test


I'm using a *.ini file to feed data into my windows scripts for automating
the processes in SQL Server maintenance. I'm using SQL Server 6.5. Now I'm
storing the password in a file as a plain test, is there any way I can
protect the password from people seeing that.

Please let me know, Thanks

2. Result set... is this stored?

3. Storing password

4. Compile Error in VB

5. storing passwords

6. Internet Database

7. Storing passwords

8. Updating record before exiting...

9. how do i store passwords

10. encrypt fields with SQL Server 2000 (to store password)

11. How to store password for printing??