[dev] security idea

Jon Parise jon@csh.rit.edu
Fri, 3 Nov 2000 16:24:41 -0500

Previous message: [dev] Re: [cvs] commit: imp compose.php prefs.php imp/config prefs.php.dist imp/docs CHANGES imp/templates/prefs personal.inc
Next message: [cvs] commit: imp compose.php prefs.php imp/config prefs.php.dist imp/docs CHANGES imp/templates/prefs personal.inc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 04, 2000 at 01:22:28AM -0400, Chuck Hagenbuch wrote:

> I was just thinking about password security for some reason, and I had an
> idea. Right now we store passwords unencrypted in the session info - if
> session info is compromised, potentially so are accounts. However:

I think a good short-term action would be to encrypt the passwords
stored in the session data with some simple key ($conf['sitename'])
for the time being.  It's in no way "secure", but it keeps plaintext
passwords was being out in the open.

The only downside to this is that people might criticize us for only
going halfway.  Then again, we're not doing anything now.

-- 
Jon Parise (jon@csh.rit.edu)  .  Rochester Inst. of Technology
http://www.csh.rit.edu/~jon/  :  Computer Science House Member

Previous message: [dev] Re: [cvs] commit: imp compose.php prefs.php imp/config prefs.php.dist imp/docs CHANGES imp/templates/prefs personal.inc
Next message: [cvs] commit: imp compose.php prefs.php imp/config prefs.php.dist imp/docs CHANGES imp/templates/prefs personal.inc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]