The single most important thing to remember in these situations is to slow
down with conclusions, since security engineering is different from normal
engineering: something works not when it's functional, but when the smartest
people out there fail to find a serious problem with it.
Hashing a hash is fine.
Sending a hashed password alone isn't secure, but also isn't exactly
equivalent to sending the password itself: for instance, knowing the password
lets me try it on the victim's accounts at other sites.
A self-signed cert is better than nothing. A CA-signed cert is better than
that, because of MITM.
SSL-encrypting the entire site using a CA-signed cert is surprisingly cheap
and provides a lot of security bang for the buck. It's probably your best
bet.
On Sat, 15 Mar 2008, Steve Morrey wrote:
Hello Everyone,
I am currently reviewing some source code for a custom CMS on behalf of a
client.
All of it looks pretty good to me except for the line of code that does the
actual login.
It looks like...
(Yes this is PHP)
if(sha1($user_password) == $password_from_db){
login($user_name);
}
What has me worried is that $user_password is hashed prior to this function
by an SHA1 function written in Javascript, prior to being passed in to PHP.
This means that we are comparing the hash of a hash, which we all know is
generally considered bad practice.
When I confronted the original developer about this, he remarked that he did
it "for security reasons, and because the design docs said the password
should not ever be transmitted or stored in plain text".
Thats all well and good except that what has effectively happened in my eyes
is an increased chance for hash collision.
Thats about the only reason I can think of why this is a bad idea.
I need some advice here...
Should I just give this code a nod? I mean most passwords tend to be
insecure to begin with, and transmitting them in plain text is always a bad
idea.
Or should I reject this due to the increased chance of has collisions and/or
some other reason I can't remember off the top of my head?
Thoughts?
Sincerely,
Steve
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
