[Seaside] Proper password hashing
Boris Popov, DeepCove Labs
boris at deepcovelabs.com
Mon Apr 11 02:23:13 UTC 2011
Sent from my iPhone
On 2011-04-10, at 22:22, "Boris Popov, DeepCove Labs" <boris at deepcovelabs.com> wrote:
> Even if you salt it, the attacker had sniffed the legit user's session key or cookie already. MITM FTW.
> Sent from my iPhone
> On 2011-04-10, at 19:23, "Peter Kwangjun Suk" <peter.kwangjun.suk at gmail.com> wrote:
>> On Sun, Apr 10, 2011 at 2:36 PM, Boris Popov, DeepCove Labs
>> <boris at deepcovelabs.com> wrote:
>>> If the attacker sniffs username/hash of a legit user, he can then add
>>> the hash to his own login form as a hidden field manually and gain
>>> access to your system. SSL is the only way to go here.
>> Boris, thanks for the well meaning advice but that is just dead wrong.
>> The way this is usually done is that a challenge bit-string is issued
>> by the server, which is then hashed with the hash of the password.
>> SSL is not the only way to go, though when it is working right, the
>> security is very good. I'd rather not have the overhead now and login
>> is enough for my purposes for now.
>> This is the way login security worked on old Unix boxen when I was
>> coding on them as an undergrad in the 80's. Have we as a field really
>> forgotten all this stuff?
>> There's neither heaven not hell,
>> save what we grant ourselves.
>> There's neither fairness nor justice,
>> save what we grant each other.
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
> seaside mailing list
> seaside at lists.squeakfoundation.org
More information about the seaside