[Seaside] Proper password hashing
Peter Kwangjun Suk
peter.kwangjun.suk at gmail.com
Sun Apr 10 23:23:29 UTC 2011
On Sun, Apr 10, 2011 at 2:36 PM, Boris Popov, DeepCove Labs
<boris at deepcovelabs.com> wrote:
> If the attacker sniffs username/hash of a legit user, he can then add
> the hash to his own login form as a hidden field manually and gain
> access to your system. SSL is the only way to go here.
Boris, thanks for the well meaning advice but that is just dead wrong.
The way this is usually done is that a challenge bit-string is issued
by the server, which is then hashed with the hash of the password.
SSL is not the only way to go, though when it is working right, the
security is very good. I'd rather not have the overhead now and login
is enough for my purposes for now.
This is the way login security worked on old Unix boxen when I was
coding on them as an undergrad in the 80's. Have we as a field really
forgotten all this stuff?
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
More information about the seaside