Quote:
Originally Posted by kijinbear
Thanks for the clarification. I'm thinking you could perhaps encrypt third-party credentials with the user's own password so that it is decrypted only when needed... But what you're doing is still leaps and bounds better than some other providers (ahem FM ahem) who didn't even encrypt their users' passwords the last time the topic came up in these forums. That should be good enough unless OP is really paranoid.
|
IMO that would be just as bad as storing the user's password in the clear. User passwords should be one-way hashed, never encrypted (which is reversible).
http://en.wikipedia.org/wiki/Cryptog..._hash_function