On Tue, Dec 28, 2010 at 18:32, someone <[email protected]> wrote:
> Quoting drew wymore <[email protected]>:
>> On Mon, Dec 27, 2010 at 8:22 PM, Michael C. Robinson <
>> [email protected]> wrote:
[...]
> As far as the comment that a login has to be required by OpenDNS to
> protect the system, if the system tracked the host name registered with say
> dyndns.org, logging in to achieve an update would be completely unnecessary.
With the detail supplied, indeed that is true. I wasn't aware of the
details of how it was being used when I made the comment. :)
> An alternative approach is to modify ddclient so that it saves the password
> in salted form instead of unencrypted in a text file. This way, the password
> has to be unsalted by a random person for that person to know it.
That isn't "salted" - which is a couple of random plain-text
characters at the start of the password, so that the hash is not
recoverable with a simple dictionary / rainbow table attack.
What you probably mean is "hashed", which is a one-way transformation
that cannot reasonably be reversed. Which, for this sort of service,
is useless: if it is recorded and useful without someone entering the
password, it is a password-equivalent, so you don't need to steal the
original, just grab that.
If it does require a password entered, why bother asking?
For what that is worth. :)
Daniel
--
✉ Daniel Pittman <[email protected]>
⌨ [email protected] (XMPP)
☎ +1 503 893 2285
♻ made with 100 percent post-consumer electrons
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
