Is anyone else disappointed that there is a two way password hash for the Oracle Community from Leveragesoft (http://oracleopenworldconnect07.leveragesoftware.com)? I would tend to bet that there is actually no hash at all and its just plain text in a database somewhere.
It kills me how many companies still run the risk of plain text passwords in the database. How many times have you had your credit card company read you your personalized pin back to you. That should never happen, they should have to put it into an application and it matches the one was hash in the database or LDAP server. I’d be happy to help them encryption or federation or any of the billions of solutions to the problem.
BTW- Whatever Dan Norris posts on this, it was my point first that brought this up.
Pingback: DanNorris.com » Passwords, or just semi-secret passphrase?
Discovered a similar issue with DZone.com a few weeks ago.
http://inside-apex.blogspot.com/2007/07/dzonecom-and-password-security.html
I think some developers will never learn it…
Patrick
Semi-off topic, but the “my point first that brought this up” indicates that this might interest you –
Justin Kestelyn has announced an unconference at Oracle OpenWorld.