My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -----Original Message----- From: Peter Beckman [mailto:beckman@purplecow.com] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; php-db@lists.php.net Subject: RE: Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: > Well. > > Its not what they want.. it what one of their clients want (very big > corporation with very unrealistic security standards - you'd think they > were NASA or something *grumble*) > > Their thought is that someone could hack the received email, login to > the store using the publically displayed logins details and reek havoc > on the store, etc. > > *shrugs* Sadly this isn't open for debate as a solutions IS required. > > Any thoughts? > > Aaron > > -----Original Message----- > From: Jason Vincent [mailto:jayv@nortelnetworks.com] > Sent: November 15, 2002 11:42 AM > To: Aaron Wolski; php-db@lists.php.net > Subject: RE: Email Encryption? > > Why email? If the Admin tool uses SSL, that is all you need. > Regards, > J > > -----Original Message----- > From: Aaron Wolski [mailto:aaronjw@martekbiz.com] > Sent: Friday, November 15, 2002 11:39 AM > To: 'Aaron Wolski'; php-db@lists.php.net > Subject: RE: Email Encryption? > > Just thinking here.. > > PGP is not an option as it would mean EACH user being setup would need > the company's public key to decrypt. Not possible as they setup a few > hundred accounts each month. > Hmm.. anything else? > Argh :( > Aaron > -----Original Message----- > From: Aaron Wolski [mailto:aaronjw@martekbiz.com] > Sent: November 15, 2002 11:36 AM > To: php-db@lists.php.net > Subject: Email Encryption? > <OFFTOPIC> > > Sorry for the off topic guys.. > > But I've just been informed that an application we developed for a > client whereby they use an Admin tool to setup user accounts into their > store needs to have the login (username and password) encrypted. > > I am thinking PGP for this but to be honest I've never really worked > with PGP and wouldn't have the first clue. > > Does anyone have any experience with this or can offer and advise at > all? > > Again, sorry for the OT discussion. > > Aaron > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > ------------------------------------------------------------------------ --- Peter Beckman Systems Engineer, Fairfax Cable Access Corporation beckman@purplecow.com http://www.purplecow.com/ ------------------------------------------------------------------------ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
