[DAS] HTTP Authentication Plug
Andy Jenkinson
andy.jenkinson at ebi.ac.uk
Wed Oct 29 11:50:28 UTC 2008
Dave Howorth wrote:
> Oops, forgot to send to list ...
>
> Andreas Kahari wrote:
>> Most password authentication software does not store plain text
>> passwords, only checksums (e.g. MD5 or SHA1) of passwords. This is the
>> case on modern UNIX and UNIX-like operating systems (for user login
>> authentication) as well as for most software systems supporting password
>> authentication, for example Apache (see manual for htpasswd).
>
> As far as I understand, it doesn't matter whether they are stored in the
> clear. Storing an encrypted password would still need to be registered.
> I do realize the difference between that and a cryptographic hash but I
> doubt whether the law is that sophisticated. All I'm saying is that I
> think there is an issue and I believe it would be wise to check the
> situation with a specialist lawyer rather than rely on my or any other
> layperson's beliefs.
Of course, OpenID neatly sidesteps this issue by not requiring a server
to handle any private data ;)
More information about the DAS
mailing list