Dearest Reinier,
I'm a little perturbed by your response.
Let's start with session handling. I had initially made a point that
if you are using a J2EE back end, then you don't have to worry about
handling session IDs because that is pretty much handled for you. You
continue to make some sort
I think you're trying to argue that your solution will stop the hacker
because he'll never guess that he's supposed to hash username+password
instead of just password.
No. I'm making the point that in a well organized environment, the
database and application are separated and through
So, that very shallow review says: It's all good. But no guarantees on
the jasypt author's security chops.
Thanks Reinier (your pointers are exactly how I use it :) )
-- Ed
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the
I like JaSypt, works fine and very friendly.
Has some nice Spring integration features such that you can store the
hashed value of some password in the spring property file instead of
the plain password. Can be useful...
It sounds like I am having JaSypt shares :( ;)
Like Rob mentioned, always interesting to read Reinier's post :)...
B) BCrypt (and you should use BCrypt, or you Fail Security. Seriously.
Don't think about it, you failed the test. Use tools written by the
experts) - is a better take on a technique called 'salt hashing',
I noticed you
Reinier,
Thanks for the additional input. Can I get some more clarification
from you though?
First of all, I don't understand your (A) response. I said you
don't need to worry so much about passing session IDs since the app
server will pretty much handle that for you... and your response
I don't know jasypt, so I can't make guarantees (actually, nobody can,
but you know what I mean). However, there are two good signs:
1) The API is specifically for password checking. This is a lot better
than using a generic hasher and doing the salting yourself. The
authors of the library had
Answers inline...
On Sep 19, 3:12 pm, JasonG [EMAIL PROTECTED] wrote:
First of all, I don't understand your (A) response. I said you
don't need to worry so much about passing session IDs since the app
server will pretty much handle that for you... and your response
seems to just reiterate
-- Reinier gently nudging the casual reader back onto the straight
and narrow with a velvet touch Zwitserloot
I think the 'people person' quote was closer :-)
Ian
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
What about easy-hashing on the client side like for example md5?
Sure, lately there were several reports about possibilities to crack
it quicker than expected(a few hours or even minutes) but i haven't
seen any working tool to make it work yet. So hasing with md5 on the
client side, and than with
Hi Alex,
alex.d schrieb:
What about easy-hashing on the client side like for example md5?
Sure, lately there were several reports about possibilities to crack
it quicker than expected(a few hours or even minutes) but i haven't
seen any working tool to make it work yet.
You can't
alex.d schrieb:
And if somebody is ready to go
the hard way, well, then there is probably not that much you can do
about it - if somebody want's to hack you - they will succeed.
NPI: Strange point of view. I hope you're not working for a website
where I place orders using my credit-cards.
I dare to say that SHA1-weakness is mostly of theoretical value. It is
secure enough for any practicaly purpose (save probably digital
signing of documents with multiyear lifespan, and protecting of
extremely sensitive information that may attract attackers that have
in their disposision
JasonG: Thanks for being a nice example of the cluelessness of your
average programmer. You've got it all, totally, 100% backwards. Don't
feel too insulted, you're like almost everyone else out there.
However, you should most definitely stop handing out security advice.
Seriously.
A) J2EE
Always fun to read a Reinier comment to pretty much anyone.
Seriously Reinier though you usualy are quite correct with your facts and
knowledge you might try to leave the baseball bat on the filed and not bash
someonce head in for a change. I would not be surprized if people are scared
to post
We need to invent a TCP/IP compatible cluestick on the double!
On Sep 18, 6:36 pm, Ian Petersen [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 11:31 AM, Rob Coops [EMAIL PROTECTED] wrote:
Always fun to read a Reinier comment to pretty much anyone.
Seriously Reinier though you usualy are
16 matches
Mail list logo
