[fpc-pascal] howto store passwords

Klaus Hartnegg hartnegg at gmx.de
Fri Oct 30 09:50:09 CET 2015


Am 29.10.2015 um 18:08 schrieb Frederic Da Vitoria:
> I'd even ask the question: do you really need to store the
> passwords? IOW, do you want to be able to send them back to the user? Or
> do you only need to check them?

My latest access system does not use passwords at all. The server sends 
the users an email, they must click on a link inside. With password 
there would have to be a plan B in case users forget a password. This is 
typically insecurity-questions, or an email with a link for a password 
reset. This means that whoever can access the emails, can gain access 
anyway. Thus using this as primary access method does not reduce 
recurity. I would argue that in most cases it even improves it.

The best way to store passwords is to not store passwords, not even hashes.



More information about the fpc-pascal mailing list