On 9 Apr 2005 Andy Pieters wrote: > It doesn't matter how you encrypt it. > > DO NOT STORE PASSWORDS ON USERS COMPUTER > > I hope that's clear enough. A couple of people have stated this but I think it is incorrect. For one thing the users themselves are very likely to store the password there, so why shouldn't you -- with permission of course? Many sites will do this with a "remember my password and log me in automatically" feature. Web-based discussion boards, for example, do this routinely and the only security risk is that someone who got access to your computer might get access to your account on the board. As long as the discussion topics are not sensitive I suspect most people using private computers would judge this to be an acceptable risk. On the other hand I would never do it (or allow a site to do it) for a site where my email account could be accessed, or money could be charged. But others might feel their computer is secure enough that they are willing to take even those risks. Like many such questions, to me this is not something that should be subject to absolutes but to considered judgment, some on the part of the developer and some on the part of the user. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
