On 8/10/06, Mark Blythe <[EMAIL PROTECTED]> wrote:
You're not missing something. The main gain of the simple version of client-side hashing is that you don't know the original password. This is a useful security feature for the user, because most users re-use passwords all over the place. If you salt the hashes with your domain name or something, the hashes in the db aren't useful for breaking into sites other than your own either (which presumably they've already done if they have access to your password store). The reason I offered the "simple" version of client-side hashing is precisely because it gives a little bit of gain, and is virtually painless to implement.
To get real security, it gets a bit more complicated to implement (although someone probably could/will write a Catalyst plugin to handle all of this eventually), the details are available at the same site I linked the sha1.js source at, just a little bit down the left-hand menu:
http://pajhome.org.uk/crypt/md5/auth.html
The "Alternative System" he describes halfway down that page solves most basic security issues. It involves two layers of client-side hashing and a challenge-response system that you could implement via ajax-style calls.
I must be missing something here.
You're not missing something. The main gain of the simple version of client-side hashing is that you don't know the original password. This is a useful security feature for the user, because most users re-use passwords all over the place. If you salt the hashes with your domain name or something, the hashes in the db aren't useful for breaking into sites other than your own either (which presumably they've already done if they have access to your password store). The reason I offered the "simple" version of client-side hashing is precisely because it gives a little bit of gain, and is virtually painless to implement.
To get real security, it gets a bit more complicated to implement (although someone probably could/will write a Catalyst plugin to handle all of this eventually), the details are available at the same site I linked the sha1.js source at, just a little bit down the left-hand menu:
http://pajhome.org.uk/crypt/md5/auth.html
-- Brandon
_______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
