At 7:20 PM -0700 4/25/05, Blue Boar wrote:
>David Crocker wrote:
>> I'm by no means an expert in the field of security and Java, but I believe 
>> that
>> the usual technique is to encode the password that the user types using a 
>> 1-way
>> hashing algorithm, then store (and hide/protect) the encoded version and use
>> that as the password. If an attacker manages to read the password hash, he 
>> still
>> has to construct a password that will encode to the same value.
>
>That only works if you're the "server", or more accurately, the process
>that needs to verify the password.  If you're the "client", or the
>process that needs to supply the password, that doesn't help you.

At the client, a password should be entered by a human.  Two factor
identification would involve an RSA signature made by a portable
device (e.g. Smartcard) which is enabled by a password known only
to the user.  Obviously the channel from the human to the device
must be secure, typically by using a keypad on the device independent
of the programmable computer system.
-- 
Larry Kilgallen


Reply via email to