On Sat, Feb 10, 2007 at 10:24:44AM +0100, Patrick Ben Koetter wrote: > * Roberto C. Sanchez <roberto@xxxxxxxxxxxx>: > > On Fri, Feb 09, 2007 at 03:59:49PM -0500, Jeremiah Towe wrote: > > > > > > mysql> select * from accountuser; > > > | username | password | prefix | domain_name | > > > | maxyourstats0001 | newtest | maxyourstats | maxyourstats.com | > > > > > This might be OT, but why on Earth would you store the password in > > *plaintext* in the database? > > Because shared-secret mechanisms require the password in plaintext for > comparison? > Hmm. Then how do things like Postfix and Cyrus authenticate against system user accounts? Those are stored either crypt()ed or in md5 format. I have a setup on a couple of servers using Postfix (SMTP AUTH for sending) and Courier IMAP (authdaemon for IMAP access) and I store the passwords MD5 encrypted in the database. Of course, this essentially mandates SSL encryption for anything requiring authentication, IIRC, since PLAIN authentication must be used. I have had no problems with this setup. Personally, there is nothing that would make me consider storing passwords in cleartext in the database. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature
