[DAS] HTTP Authentication Plug

Andreas Kahari ak at ebi.ac.uk
Wed Oct 29 11:45:06 UTC 2008


On Wed, Oct 29, 2008 at 11:16:46AM +0000, Andy Jenkinson wrote:
> Andreas Kahari wrote:
>> On Wed, Oct 29, 2008 at 10:10:38AM +0000, Dave Howorth wrote:
>>> It's my understanding (though I am not a lawyer :) that storing a
>>> username together with a password consitutes 'private data' and that any
>>> database or other mechanism used to store that information would
>>> therefore need to be registered with your organisation and be audited. I
>>> also understand that ignoring the requirement is a sacking offence, at
>>> least where I work.
>>
>> Most password authentication software does not store plain text
>> passwords, only checksums (e.g. MD5 or SHA1) of passwords.  This is the
>> case on modern UNIX and UNIX-like operating systems (for user login
>> authentication) as well as for most software systems supporting password
>> authentication, for example Apache (see manual for htpasswd).
>
> It's not 100% clear whether this qualifies as "does not need to be  
> audited" or "would pass audit". It would come down to what exactly is  
> considered "private data", according to local policy.

Believe me when I say I'm very happy that I do not need to be part of
this discussion...

Best of luck,
Andreas


-- 
Andreas Kähäri, Ensembl Software Developer
European Bioinformatics Institute (EMBL-EBI)
Wellcome Trust Genome Campus, Hinxton
Cambridge CB10 1SD, United Kingdom



More information about the DAS mailing list