Wow. I would make two suggestions: 1) I would highly suggest that you look toward OWASP recommendations on the subject of securing session management. https://www.owasp.org/index.php/Session_Management
Additionally, I would point you to the first bold item here https://www.owasp.org/index.php/Top_10_2007-Broken_Authentication_and_Session_Management > * *Only use the inbuilt session management mechanism.* Do not write > or use secondary session handlers under any circumstances. > 2) Solving the Diffie--Hellman key exchange problem eliminated the need for men with handcuffed briefcases and embassy bags for shared secrets. I would suggest that you find a more modern way to handle your credentials. On 9/13/2011 10:44 PM, Aleksey Tsalolikhin wrote: > Hi, anybody here have experience using GRC.com's PPP? > > https://www.grc.com/ppp > > I've read up on this kind of system, > > http://en.wikipedia.org/wiki/Transaction_authentication_number > > and it seems like it would increase the security of a Web service as > compared to just using a static password alone. > > The weak point I see immediately would be how you get the password > sheet to the user in the first place... it'd have to be mailed I > guess, to go out of band, for maximum security. > > Anyway, just curious if anyone has operational experience with it and > is willing to share it. > > Thanks, > Aleksey > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ -- Ian Gorrie <[email protected]> Technology Advisor CISSP-ISSAP CISA CISM CEH http://gorrie.org PGP Key: 0x88C367CD http://www.linkedin.com/in/gorrie
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
