What are the technical reasons not to use non-reversible transformation when encrypting password in database? That way, even when password database is leaked, nobody can read any password. If it is reversible ,it would fail to comply with some standards ,e.g.French National Commission on Informatics and Liberty. Is it due to costs?
Asked
Active
Viewed 39 times
0
-
2There might be a few technical reasons that passwords are not stored this way (like when supporting Digest authentication) but other then that it is basically asking why not everybody implements best practices. This kind of broad scope leads to primarily opinion based answers and is thus not a good fit for a site. Maybe you could limit the scope of your question by only asking for technical reasons when passwords can not be stored this way - if this is what you want to know. – Steffen Ullrich Apr 06 '21 at 11:24
-
@SteffenUllrich why is supporting digest authentication necessary? Can't they do it in other ways that are more secure? – Apr 06 '21 at 14:13
-
This is a different question. And your original question still has the same broad scope. But for example digest authentication is the standard with SIP (voice over IP). – Steffen Ullrich Apr 06 '21 at 14:33
-
If you have any links about countries that require this by law, I'd be interested to see – paj28 Apr 06 '21 at 14:47
-
@paj28 https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000035142451/ – Apr 06 '21 at 14:52
-
@paj28 Look like it is only "recommended"... – Apr 06 '21 at 14:55
-
@paj28 but if it is reversible, it does not comply with CNIL .. see this link: https://www.vaadata.com/blog/how-to-securely-store-passwords-in-database/ – Apr 06 '21 at 14:59
-
CNIL still only "recommends" – schroeder Apr 06 '21 at 15:09
-
There is no technical reason, except inertia. Some older systems cannot be changed. This really boils down to "why don't people make more secure decisions?" and I'm afraid we can't answer this. – schroeder Apr 06 '21 at 15:10