[fpc-pascal] is scrypt available?
Frederic Da Vitoria
davitofrg at gmail.com
Fri Oct 30 16:30:17 CET 2015
2015-10-30 0:33 GMT+01:00 <wkitty42 at windstream.net>:
> On 10/29/2015 01:08 PM, Frederic Da Vitoria wrote:
>
>> Good point. I'd even ask the question: do you really need to store the
>> passwords? IOW, do you want to be able to send them back to the user? Or
>> do
>> you only need to check them?
>>
>
> in the use case being studied, passwords can only be compared or reset...
>
Do you really need to compare them or simply to validate them? I ask
because in one project I worked on for an insurance company, we were
forbidden to store the passwords. We stored only a kind of checksum for
them. With something like CRC32 or even a higher resolution algorithm, you
can efficiently check that the password is correct (with really low chances
of false positives), minimize the storage space required and completely
eradicate the possibility that someone will get the actual passwords from
your database. This could be relevant if this is for a web site, many
people use the same password on all the web sites so that if their password
is revealed on one site, they would need to change all their passwords.
--
Frederic Da Vitoria
(davitof)
Membre de l'April - « promouvoir et défendre le logiciel libre » -
http://www.april.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freepascal.org/pipermail/fpc-pascal/attachments/20151030/a5712208/attachment.html>
More information about the fpc-pascal
mailing list