Since they key is almost definitely not stored in the db and is very likely stor... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

pbreit on Sept 22, 2012 | parent | context | favorite | on: Pandora doesn't hash their passwords

Since they key is almost definitely not stored in the db and is very likely stored fairly securely, why does it follow that "if [passwords] are accidentally exposed, it's likely the key is also exposed"?

I understand that passwords are better hashed I just don't nderstand why encrypted is no better than plain text (according to some).

mikeash on Sept 22, 2012 [–]

How do you store the key more securely than the database while still allowing your web apps to access the key whenever they need to verify or change someone's password?

pbreit on Sept 23, 2012 | [–]

Well, it's common to have db but not file system or codebase access. And it's easy to make a directory readable by only the app.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact