|
|
|
|
|
|
by IDisposableHero
5554 days ago
|
|
|
I agree this law doesn't seem to outlaw hashed passwords, it simply means that you need to store 2 copies of the password - one hashed, and one in plain text. You are splitting hairs. It outlaws passwords where only the (salted) hash and not the plaintext is stored, which is the whole point of what's commonly known as "hashed passwords". store the hashed value with your live database ... and store the plain text version in ... a separate system Call that seperate system "the moneypot". I'm tempted to suggest that people just try that and see how that works out for them, given the inevitablity of failures of security and vigilance. But for the sake of the rest of us, let's not. |
|
|
If someone has that level of control over your system to access a write only file on a separate secured system, make a copy and extract it somewhere else, they probably also have enough access to insert a piece of code into your authentication system to dump all the plaintext passwords to a separate file as people login over time.
The message remains the same for all users regardless of this law - Don't reuse passwords, you can't trust their security.