Posted by trlists on 10/21/06 11:13

On 11 Apr 2005 Chris Shiflett wrote:

> > > DO NOT STORE PASSWORDS ON USERS COMPUTER
> >
> > A couple of people have stated this but I think it is incorrect.
>
> Please refrain from such speculation, because it does nothing to improve
> the state of security within our community. This idea of storing
> passwords in cookies is absurd.

Hmmm, sorry, it wasn't speculation but an opinion in response to what I
thought had moved from a practical into a theoretical discussion. I
agree, storing even an encrypted password in a cookie is a poor idea in
most situations. But to me development is about selecting the right
tool and using it the right way for the job at hand, and as a matter of
principle I'm not convinced that a password stored in some form in a
cookie can never, ever be the right tool for any job -- even if it's
the wrong tool for many or most. As I said in other posts, there is a
tendency here to declare certain practices as "the one and only way",
but I think development is almost always more complex and more of a
balancing act than that.

If the discussion of that balance is beyond what the list is for and
there is a need for a simple rule that everyone can follow then I
certainly agree that "don't store passwords on the user's computer" is
a far better rule and promotes better security practices than "it
depends". But as I said I thought the discussion was more theoretical
at that point, and that that was equally part of what's discussed here.

--
Tom

[Back to original message]