If they have real security standards (though you said unrealistic), they would realize that good encryption isn't decryptable, only comparable. Or try and make them realize as such. AW> My client is the one doing the setup of accounts. AW> How would the account holder know of his password before it got AW> encrypted? AW> Hense the email. AW> Aaron AW> -----Original Message----- AW> From: Peter Beckman [mailto:beckman@purplecow.com] AW> Sent: November 15, 2002 12:35 PM AW> To: Aaron Wolski AW> Cc: 'Jason Vincent'; php-db@lists.php.net AW> Subject: RE: Email Encryption? AW> Why not encrypt the password in the DB? If they lose their password, it AW> cannot be sent to them. They chose it, so it doesn't need to be sent to AW> them in their email. If they lose it, it is changed, and they have to AW> change it again. That way, only if they are stupid do they have an AW> extra AW> step. AW> The passwords in the DB are encrypted, so only if someone gets a hold of AW> the DB can the passwords be cracked by brute force. AW> md5 would work fine for this. It is the same security that FreeBSD uses AW> in AW> their password file. AW> Peter AW> On Fri, 15 Nov 2002, Aaron Wolski wrote: >> Well. >> >> Its not what they want.. it what one of their clients want (very big >> corporation with very unrealistic security standards - you'd think AW> they >> were NASA or something *grumble*) >> >> Their thought is that someone could hack the received email, login to >> the store using the publically displayed logins details and reek havoc >> on the store, etc. >> >> *shrugs* Sadly this isn't open for debate as a solutions IS required. >> >> Any thoughts? >> >> Aaron >> >> -----Original Message----- >> From: Jason Vincent [mailto:jayv@nortelnetworks.com] >> Sent: November 15, 2002 11:42 AM >> To: Aaron Wolski; php-db@lists.php.net >> Subject: RE: Email Encryption? >> >> Why email? If the Admin tool uses SSL, that is all you need. >> Regards, >> J >> >> -----Original Message----- >> From: Aaron Wolski [mailto:aaronjw@martekbiz.com] >> Sent: Friday, November 15, 2002 11:39 AM >> To: 'Aaron Wolski'; php-db@lists.php.net >> Subject: RE: Email Encryption? >> >> Just thinking here.. >> >> PGP is not an option as it would mean EACH user being setup would need >> the company's public key to decrypt. Not possible as they setup a few >> hundred accounts each month. >> Hmm.. anything else? >> Argh :( >> Aaron >> -----Original Message----- >> From: Aaron Wolski [mailto:aaronjw@martekbiz.com] >> Sent: November 15, 2002 11:36 AM >> To: php-db@lists.php.net >> Subject: Email Encryption? >> <OFFTOPIC> >> >> Sorry for the off topic guys.. >> >> But I've just been informed that an application we developed for a >> client whereby they use an Admin tool to setup user accounts into AW> their >> store needs to have the login (username and password) encrypted. >> >> I am thinking PGP for this but to be honest I've never really worked >> with PGP and wouldn't have the first clue. >> >> Does anyone have any experience with this or can offer and advise at >> all? >> >> Again, sorry for the OT discussion. >> >> Aaron >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> AW> ------------------------------------------------------------------------ AW> --- AW> Peter Beckman Systems Engineer, Fairfax Cable Access AW> Corporation AW> beckman@purplecow.com AW> http://www.purplecow.com/ AW> ------------------------------------------------------------------------ AW> --- AW> -- AW> PHP Database Mailing List (http://www.php.net/) AW> To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
