[dev] security idea
Jon Parise
jon@csh.rit.edu
Fri, 3 Nov 2000 16:24:41 -0500
On Wed, Oct 04, 2000 at 01:22:28AM -0400, Chuck Hagenbuch wrote:
> I was just thinking about password security for some reason, and I had an
> idea. Right now we store passwords unencrypted in the session info - if
> session info is compromised, potentially so are accounts. However:
I think a good short-term action would be to encrypt the passwords
stored in the session data with some simple key ($conf['sitename'])
for the time being. It's in no way "secure", but it keeps plaintext
passwords was being out in the open.
The only downside to this is that people might criticize us for only
going halfway. Then again, we're not doing anything now.
--
Jon Parise (jon@csh.rit.edu) . Rochester Inst. of Technology
http://www.csh.rit.edu/~jon/ : Computer Science House Member