If you are an admin on the machine you could get the passwords even if they weren't in cookies! If someone ever puts in their password at all outside of ssl, you can sniff the password. If someone steals the SAM file, what does it matter where I store the password or how I hash it?
what does that have to do with cookies vs client variables and the security impact of the two? On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Not, really. There are different ways of getting hashes. One is you can be > an admin on the machine, and you can get the passwords of all the users. > Another way is to sniff it going across the network. You can also steal the > SAM file and get the password that way. The point is, you don't always need > to have a login on the system (or physical access to the machine) to get > people's passwords off of it. > > -----Original Message----- > From: Robertson-Ravo, Neil (RX) > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 3:22 PM > To: CF-Talk > Subject: RE: pseudo-memory leak > > LOL, isnt that just like saying - I can get into any computer which is > locked......if you give me the password? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225627 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
