From 26e7f86b8eee0efefb81b6672813f3597272b4ae Mon Sep 17 00:00:00 2001
From: Rob van Son <R.J.J.H.vanSon@gmail.com>
Date: Tue, 19 Jun 2012 21:58:09 +0200
Subject: [PATCH] Documentation

---
 CGIscriptor.html | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CGIscriptor.html b/CGIscriptor.html
index 3a83012..7de2341 100644
--- a/CGIscriptor.html
+++ b/CGIscriptor.html
@@ -1687,6 +1687,16 @@ Cygwin on MS Windows.<br />
 passwords can be cracked by brute force</em>
 </p>
 <p>
+As the (hashed) passwords are all that is needed to identify at the site,
+these should not be stored in thsi form. A site specific passphrase
+can be entered as an environment variable ($ENV{'CGIMasterKey'}). This
+phrase is hashed with the server site salt and the result is hashed with
+the user name and then XORed with the password when it is stored. Also, to
+detect changes to the account (PASSWORD) and session tickets, a 
+hash of some of the contents of the ticket with the server salt and 
+CGIMasterKey is stored in each ticket.
+</p>
+<p>
 For the authentication and a change of password, the (old) password 
 is used to "encrypt" a random one-time token or the new password, 
 respectively. For authentication, decryption is not needed, so a secure 
-- 
2.11.4.GIT