What does the admin know about the client? Do their clients have account numbers for instance? If so, you could send them and email saying your user name is the same as your last name, and your password is the same as your user account number (an obviously don't disclose the account number in the email)- and have the app force them to change it the first time they log in. This way, even if the hacker intercepted the email, they would not know the clients account number from it and therefore not be able to hack in. Upon change, have the app email the client (assuming you have their email address on file) and let then know that someone has changed their account number, and if it wasn't them... blah blah Regards, J -----Original Message----- From: Aaron Wolski [mailto:aaronjw@martekbiz.com] Sent: Friday, November 15, 2002 1:18 PM To: 'Peter Beckman' Cc: Vincent, Jason [BRAM:1334:EXCH]; php-db@lists.php.net Subject: RE: Email Encryption? My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -----Original Message----- From: Peter Beckman [mailto:beckman@purplecow.com] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; php-db@lists.php.net Subject: RE: Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: > Well. > > Its not what they want.. it what one of their clients want (very big > corporation with very unrealistic security standards - you'd think they > were NASA or something *grumble*) > > Their thought is that someone could hack the received email, login to > the store using the publically displayed logins details and reek havoc > on the store, etc. > > *shrugs* Sadly this isn't open for debate as a solutions IS required. > > Any thoughts? > > Aaron > > -----Original Message----- > From: Jason Vincent [mailto:jayv@nortelnetworks.com] > Sent: November 15, 2002 11:42 AM > To: Aaron Wolski; php-db@lists.php.net > Subject: RE: Email Encryption? > > Why email? If the Admin tool uses SSL, that is all you need. Regards, > J > > -----Original Message----- > From: Aaron Wolski [mailto:aaronjw@martekbiz.com] > Sent: Friday, November 15, 2002 11:39 AM > To: 'Aaron Wolski'; php-db@lists.php.net > Subject: RE: Email Encryption? > > Just thinking here.. > > PGP is not an option as it would mean EACH user being setup would need > the company's public key to decrypt. Not possible as they setup a few > hundred accounts each month. Hmm.. anything else? > Argh :( > Aaron > -----Original Message----- > From: Aaron Wolski [mailto:aaronjw@martekbiz.com] > Sent: November 15, 2002 11:36 AM > To: php-db@lists.php.net > Subject: Email Encryption? > <OFFTOPIC> > > Sorry for the off topic guys.. > > But I've just been informed that an application we developed for a > client whereby they use an Admin tool to setup user accounts into their > store needs to have the login (username and password) encrypted. > > I am thinking PGP for this but to be honest I've never really worked > with PGP and wouldn't have the first clue. > > Does anyone have any experience with this or can offer and advise at > all? > > Again, sorry for the OT discussion. > > Aaron > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > ------------------------------------------------------------------------ --- Peter Beckman Systems Engineer, Fairfax Cable Access Corporation beckman@purplecow.com http://www.purplecow.com/ ------------------------------------------------------------------------ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
