Message162860
>> and any other place that compares passwords, tokens, …
>
> No no no. Any sensible place to compare passwords would use some
> sort of one-way function (password hash) before the comparison,
> so that someone breaking into the machine will not gain the clear
> text passwords.
I agree that this is the right way to do. However I disagree that it's also the only sensible way to do in the real world. Sometimes you just _have_ to compare sensitive strings, whether you like it or not.
I see your point that adding such a function would leverage bad security behavior and thus may be a bad thing. The usefulness of such a function to some(?) people is IMHO not disputable though. |
|
Date |
User |
Action |
Args |
2012-06-15 07:55:30 | hynek | set | recipients:
+ hynek, loewis, arigo, ncoghlan, pitrou, christian.heimes, fijall |
2012-06-15 07:55:29 | hynek | link | issue15061 messages |
2012-06-15 07:55:29 | hynek | create | |
|