[Seaside] Proper password hashing
Boris Popov, DeepCove Labs
boris at deepcovelabs.com
Mon Apr 11 02:21:49 UTC 2011
Even if you salt it, the attacker had sniffed the legit user's session key or cookie already. MITM FTW.
Sent from my iPhone
On 2011-04-10, at 19:23, "Peter Kwangjun Suk" <peter.kwangjun.suk at gmail.com> wrote:
> On Sun, Apr 10, 2011 at 2:36 PM, Boris Popov, DeepCove Labs
> <boris at deepcovelabs.com> wrote:
>> If the attacker sniffs username/hash of a legit user, he can then add
>> the hash to his own login form as a hidden field manually and gain
>> access to your system. SSL is the only way to go here.
> Boris, thanks for the well meaning advice but that is just dead wrong.
> The way this is usually done is that a challenge bit-string is issued
> by the server, which is then hashed with the hash of the password.
> SSL is not the only way to go, though when it is working right, the
> security is very good. I'd rather not have the overhead now and login
> is enough for my purposes for now.
> This is the way login security worked on old Unix boxen when I was
> coding on them as an undergrad in the 80's. Have we as a field really
> forgotten all this stuff?
> There's neither heaven not hell,
> save what we grant ourselves.
> There's neither fairness nor justice,
> save what we grant each other.
> seaside mailing list
> seaside at lists.squeakfoundation.org
More information about the seaside