Re: password datatype in RDF

On 3 Feb 2010, at 23:26, Jeremy Carroll wrote:
>
> We have an RDF based form, where some of the details of the  
> presentation are decided late, based on the data and its schema.
>
> For our application, we need to enter various SMTP setup information  
> in this form, including a username and password.
> Right now, the password appears in clear-text ... :(
>
> A colleague suggested that we invent a new datatype:
>
> tq:password rdfs:subClassOf xsd:string .
>
> and then upgrade our form presentation software to treat this  
> datatype with the conventional ****s
>
> That seems like a reasonable approach, has it been done before? Is  
> there a datatype to reuse, or some other method?

Jeremy,

I like Yihong's approach, but if that's not palatable for some reason  
you could crypt the password string with a strong shared-secret key,  
rather that storing it as plain text*. Without knowing the exact  
system involved it's hard to know what the risk profile is like (it  
could be some trivial resource that's being protected), but it's  
inadvisable to ever store passwords in plain text - users have a habit  
of reusing the same password for multiple resources.

* I am not a cryptographer. This might not be the right thing, my  
understanding is that ideally you would just store the salted hash of  
the password.

For what it's worth, we never store unhashed passwords.

- Steve

-- 
Steve Harris, Garlik Limited
2 Sheen Road, Richmond, TW9 1AE, UK
+44 20 8973 2465  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10  
9AD

Received on Thursday, 4 February 2010 10:33:38 UTC