- From: Steve Harris <steve.harris@garlik.com>
- Date: Thu, 4 Feb 2010 10:33:08 +0000
- To: Jeremy Carroll <jeremy@topquadrant.com>
- Cc: Semantic Web <semantic-web@w3.org>
On 3 Feb 2010, at 23:26, Jeremy Carroll wrote: > > We have an RDF based form, where some of the details of the > presentation are decided late, based on the data and its schema. > > For our application, we need to enter various SMTP setup information > in this form, including a username and password. > Right now, the password appears in clear-text ... :( > > A colleague suggested that we invent a new datatype: > > tq:password rdfs:subClassOf xsd:string . > > and then upgrade our form presentation software to treat this > datatype with the conventional ****s > > That seems like a reasonable approach, has it been done before? Is > there a datatype to reuse, or some other method? Jeremy, I like Yihong's approach, but if that's not palatable for some reason you could crypt the password string with a strong shared-secret key, rather that storing it as plain text*. Without knowing the exact system involved it's hard to know what the risk profile is like (it could be some trivial resource that's being protected), but it's inadvisable to ever store passwords in plain text - users have a habit of reusing the same password for multiple resources. * I am not a cryptographer. This might not be the right thing, my understanding is that ideally you would just store the salted hash of the password. For what it's worth, we never store unhashed passwords. - Steve -- Steve Harris, Garlik Limited 2 Sheen Road, Richmond, TW9 1AE, UK +44 20 8973 2465 http://www.garlik.com/ Registered in England and Wales 535 7233 VAT # 849 0517 11 Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10 9AD
Received on Thursday, 4 February 2010 10:33:38 UTC