webappsec@securityfocus.com
[Top] [All Lists]

Re:Re: At what layer to hash a password

Subject: Re:Re: At what layer to hash a password
From: è
Date: Tue, 29 Jun 2010 09:48:44 +0800 CST
åæååçïGregaÂBremec, webappsec
>On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:
>> You covered several of the arguments: the password moving down the
>> stacks and being intercepted there, the maintainability.
>> 
>> But there's two more things I'd raise.  First off, you really shouldn't
>> be hashing your passwords.  It's better to use something I don't know
>> the correct term for (I've heard adaptive hashing and iterative hashing.
>>  I usually just call them by name).
>
>I agree on not hashing.
>
>Short of mentioning encryption in the transport layer (which is a must
>in any such scenario), by far the most secure method involving passwords
>known to me would be a challenge/response mechanism which completely
>eliminates the need to transfer any kind of sensitive information over
>the wire.
>
>If the client produces the right token, the response to the challenge
>will be identical to the one that the server calculated based on the PSK
>at hand and the authentication can be thought of successful.
>
>Regards,
>-- 
>    Grega Bremec
>    gregab at p0f dot net
>




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

<Prev in Thread] Current Thread [Next in Thread>