On Tue, Dec 11, 2012 at 10:11 PM, Paul McNett <[email protected]> wrote:
> On 12/11/12 7:04 PM, Ed Leafe wrote: > > Again, the mathematics of this is way above my understanding. But > that's the point I've been trying to make in this thread: there are people > who devote their entire lives to these concepts. There is no way that you > or I in a matter of a few hours will be able to outsmart them. And these > aren't just normal people, BTW. Since the stakes are so high when it comes > to security, these are the cream of the crop of PhDs in mathematics who are > being paid incredible sums of money to stay ahead of the bad guys, who are > paying incredible sums of money to other equally exceptional PhDs to defeat > the security experts. Anyone who thinks that in their spare time they can > come up with something that will be secure is truly delusional. > > This is very true and I agree that we should use generally-accepted > practices and > available libraries rather than reinventing the wheel all the time. > However there is > always part of me that is reluctant to trust or recommend something that I > can't > explain, but then again if trial and error seems to pan out over time, I > tend to come > around eventually. > > What if every site on the web came to use this algorithm, and a major flaw > was > discovered in 5 years? > > ------------------ > They just found a vulnerability to pick up mouse movements in any flavor of IE 6->10 I try to incorporate the user ID + pw + corporate text phrase as the final encrypted string. My ID is a guid already so it makes it big and nasty to start with. :) After all of this talk about it I may go and tweak our new version of the framework as a test basis on this. Will also have a datetimestamp in user table for last logged access. Thus I will remove the ID column that I "needed" to find your PW for decryption. Make a new method to gen the hash and just search on it alone. Have to change the whole PW generation and update as well. Will also add a login attempt log while I am there. This has been entertaining. -- Stephen Russell Sr. Analyst Ring Container Technology Oakland TN 901.246-0159 cell --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cajidmy+yf6-wtnuymhej2c+j4xinosbxzfmjxocjrj+ymrw...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
