|
|
åæååçïGregaÂBremec, webappsec
>On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:
>> You covered several of the arguments: the password moving down the
>> stacks and being intercepted there, the maintainability.
>>
>> But there's two more things I'd raise. First off, you really shouldn't
>> be hashing your passwords. It's better to use something I don't know
>> the correct term for (I've heard adaptive hashing and iterative hashing.
>> I usually just call them by name).
>
>I agree on not hashing.
>
>Short of mentioning encryption in the transport layer (which is a must
>in any such scenario), by far the most secure method involving passwords
>known to me would be a challenge/response mechanism which completely
>eliminates the need to transfer any kind of sensitive information over
>the wire.
>
>If the client produces the right token, the response to the challenge
>will be identical to the one that the server calculated based on the PSK
>at hand and the authentication can be thought of successful.
>
>Regards,
>--
> Grega Bremec
> gregab at p0f dot net
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
|
|