[Seaside] authentication for seaside

Wed Dec 29 14:50:04 UTC 2010

There are many views on this topic, and most of them are right to a 
certain extent. I particularly agree with the title of this post 
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html 
and with some parts of the article itself. I've been doing some research 
recently regarding password storing, why it should be avoided if 
possible and what you should do if you have no alternativa; maybe these 
links are helpful to someone else:

http://www.openwall.com/articles/PHP-Users-Passwords
http://www.securityfocus.com/columnists/388/
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300
http://www.skrenta.com/2007/08/md5_tutorial.html
http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
http://chargen.matasano.com/chargen/2006/4/28/oh-meebo.html

HTH,
         Andrés

Tony Fleig escribió:
> Regarding consolidation of account login security:
> 
> I think it depends on the purpose of the password and the account. If
> the account exists only to separate one user's data from another's,
> then one could argue the password is actually not needed at all; the
> username is enough. If, in contrast, the purpose of the password is
> for security, then the password is a critically important part of
> preventing unauthorized access to the user's information.
> 
> Users have for years been using the word "password" and other
> easy-to-guess words as their password and many of these users have
> suffered the consequences. Entrusting the security of all your on-line
> accounts to a single entity, be it Facebook, Twitter, or a national
> government provides a single point of failure for the security of the
> associated accounts. This is the same reason why using the same
> password for multiple accounts is ill-advised.
> 
> Passwords are vulnerable not only to on-line hacking, but also to
> theft or hacking from within the organization that maintains and
> verifies the password. I believe the threat from inside the
> password-holding organization is probably as great or greater than the
> threat from outside given the greater level of access those inside the
> organization have.
> 
> I have divided my on-line accounts into two groups: those whose
> security is not important because they do not contain any personal
> information, and those whose security is indeed important, such as
> on-line bank accounts and any account containing personal information
> that could lead to identity theft. I use one password for all the
> insecure accounts, and a different password for each of the secure
> accounts. That way if a password is revealed, only one account is
> immediately compromised.
> 
> I understand keeping track of many passwords is inconvenient and just
> automatically using one's Facebook login at another site is very
> convenient. Convenience is also the reason why people use the word
> "password" as their password. I, personally, would not use automatic
> Facebook or Twitter login for any but my insecure accounts -- and
> those are almost by definition, the accounts that are not very
> important to me.
> 
> I have three friends whose on-line accounts were compromised and who
> lost significant amounts of money and suffered months of continued
> problems recovering from identity theft. These were not rich people.
> This does happen.
> 
> I think there is still a place for per-site login and security,
> inconvenient as it may be.
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 