At 7:20 PM -0700 4/25/05, Blue Boar wrote: >David Crocker wrote: >> I'm by no means an expert in the field of security and Java, but I believe >> that >> the usual technique is to encode the password that the user types using a >> 1-way >> hashing algorithm, then store (and hide/protect) the encoded version and use >> that as the password. If an attacker manages to read the password hash, he >> still >> has to construct a password that will encode to the same value. > >That only works if you're the "server", or more accurately, the process >that needs to verify the password. If you're the "client", or the >process that needs to supply the password, that doesn't help you.
At the client, a password should be entered by a human. Two factor identification would involve an RSA signature made by a portable device (e.g. Smartcard) which is enabled by a password known only to the user. Obviously the channel from the human to the device must be secure, typically by using a keypad on the device independent of the programmable computer system. -- Larry Kilgallen
