Posted by Jason Wong on 04/09/05 14:49

On Saturday 09 April 2005 19:29, trlists@clayst.com wrote:
> On 9 Apr 2005 Andy Pieters wrote:
> > It doesn't matter how you encrypt it.
> >
> > DO NOT STORE PASSWORDS ON USERS COMPUTER
> >
> > I hope that's clear enough.
>
> A couple of people have stated this but I think it is incorrect. For
> one thing the users themselves are very likely to store the password
> there, so why shouldn't you -- with permission of course?

Because you should know better than the user!

> Many sites will do this with a "remember my password and log me in
> automatically" feature.

It doesn't necessarily mean that it will literally store your password in
a cookie, it could just be storing a token. With a token, your website
could impose expiry dates on them or invalidate them (and possibly issue
a new one) whenever the user performs a full password login etc. Thus if
a bad person gets hold of your token it'll probably mean that they'll
only have access to that account for a limited period of time (depending
on what security measures your website employs). However if you had
stored the actual password and some bad person got hold of it then there
is no reasonable way for your website to distinguish the bad person using
the password to gain access from the legitimate user.

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

[Back to original message]