[fpc-pascal] howto store passwords
Klaus Hartnegg
hartnegg at gmx.de
Fri Oct 30 09:50:09 CET 2015
Am 29.10.2015 um 18:08 schrieb Frederic Da Vitoria:
> I'd even ask the question: do you really need to store the
> passwords? IOW, do you want to be able to send them back to the user? Or
> do you only need to check them?
My latest access system does not use passwords at all. The server sends
the users an email, they must click on a link inside. With password
there would have to be a plan B in case users forget a password. This is
typically insecurity-questions, or an email with a link for a password
reset. This means that whoever can access the emails, can gain access
anyway. Thus using this as primary access method does not reduce
recurity. I would argue that in most cases it even improves it.
The best way to store passwords is to not store passwords, not even hashes.
More information about the fpc-pascal
mailing list