Yeah, good call, guys.
I'm adding a salt to my code now.
Best,
Patrick
On Oct 11, 2006, at 11:32 AM, Doug Johnston wrote:
Great discussion...I'm going to need to implement something like
this in the near future.
I like Nick's idea of adding salt to the hash. Otherwise, a
potential hacker could create new user accounts and authenticate
them without actually having an email account set up.
1. Register [EMAIL PROTECTED]
2. Get the SHA-1 hash for [EMAIL PROTECTED]
(6caeb549651dd6ddd542d4726761a0bac56eaf70).
3. Submit the hash through the predefined URL for authentication.
Of course, this would be contingent on the hacker correctly
identifying the authentication string but, if he stumbles across
this thread, he'll have a pretty good start! =)
Doug
_______________________________________________
Sdruby mailing list
[email protected]
http://lists.sdruby.com/mailman/listinfo/sdruby
