From 26e7f86b8eee0efefb81b6672813f3597272b4ae Mon Sep 17 00:00:00 2001
From: Rob van Son
passwords can be cracked by brute force
+As the (hashed) passwords are all that is needed to identify at the site, +these should not be stored in thsi form. A site specific passphrase +can be entered as an environment variable ($ENV{'CGIMasterKey'}). This +phrase is hashed with the server site salt and the result is hashed with +the user name and then XORed with the password when it is stored. Also, to +detect changes to the account (PASSWORD) and session tickets, a +hash of some of the contents of the ticket with the server salt and +CGIMasterKey is stored in each ticket. +
+For the authentication and a change of password, the (old) password is used to "encrypt" a random one-time token or the new password, respectively. For authentication, decryption is not needed, so a secure -- 2.11.4.GIT