[DAS] HTTP Authentication Plug
Andy Jenkinson
andy.jenkinson at ebi.ac.uk
Wed Oct 29 11:16:46 UTC 2008
Andreas Kahari wrote:
> On Wed, Oct 29, 2008 at 10:10:38AM +0000, Dave Howorth wrote:
>> It's my understanding (though I am not a lawyer :) that storing a
>> username together with a password consitutes 'private data' and that any
>> database or other mechanism used to store that information would
>> therefore need to be registered with your organisation and be audited. I
>> also understand that ignoring the requirement is a sacking offence, at
>> least where I work.
>
> Most password authentication software does not store plain text
> passwords, only checksums (e.g. MD5 or SHA1) of passwords. This is the
> case on modern UNIX and UNIX-like operating systems (for user login
> authentication) as well as for most software systems supporting password
> authentication, for example Apache (see manual for htpasswd).
It's not 100% clear whether this qualifies as "does not need to be
audited" or "would pass audit". It would come down to what exactly is
considered "private data", according to local policy.
More information about the DAS
mailing list