Re: JS and security.



"Roger" <crosseyedpenguin@xxxxxxx> wrote in message
news:3s_Re.63787$Ji4.40484@xxxxxxxxxxxxx
> Jim Davis wrote:
>
>>
>> There's no sense (although I'm willing to be conviced) in attempting to
>> address hard security issues via JavaScript. Things like data
>> encryption, key management, credential management, etc should all be
>> centralized and rigidly controlled.
>>
>
> One good use for Javascript is the encryption of passwords before they are
> sent to the server. Most users use the same passwords for multiple
> applications, so sniffing out a users password on one application may
> lessen the security on other applications the user has access to.

I can see the point... but have two issues with this:

1) Doing "good" encryption is difficult to do in script (it's slow and
they're language issues). So, for the most part it'll be weak encryption
anyway.

2) In my opinion no passwords should be sent across an open pipe anyway: SSL
should always be used. This is MUCH stronger encryption that you'd get with
script and eliminates any benefit to manually encrypting the password.

However if you're unable to use SSL then this might be a "better that
nothing" solution.

> It is better for the user's point of view to never let the host have
> access to the user's raw password. Therefore, none of the dishonest
> employees with access to the user file on the host will have access to the
> user's password.

Ah - but you're not talking about encrption here (sorry to be a jerk - this
is a pet peeve of mine). This is called "hashing".

Encyption implies that you can retrieve the data again (to be plain
encyption implies unencryption). Hashing, on the other hand, is more like a
"fingerprinting" - it's an identification technology. While a fingerprint
can be used to identify somebody it can't be used to recreate the whole
person.

For hash generation I can definately see some use for doing it on the
client-side. There are still issues. (For example hashes, especially for
small values, aren't unique - so many possible passwords could have the same
hash - any of which would work to get into the user's account.)

But there is definately some value in it, you're right.

Jim Davis


.



Relevant Pages

  • Re: Validating if password is encoded or encrypted
    ... encryption algorithm or hash function. ... specify the character set used on the system where the passwords were ... Usually the passwords will be base64 encoded before being stored in the db ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: one way permutation?
    ... It's still modular encryption, but it's only ... For that, you DO need public-key techniques, such as ... Look on my page about "Passwords and ... kind -> owner ...
    (sci.crypt)
  • Obfuscating sensitive data? (was: response to tax software not encrypting tax info)
    ... Encryption without a key is useless. ... If you can retrieve the file, brute force is always possible, so nothing ... attacker laugh, assuming he is just a bit smarter than a piece of wood. ... Never just obfuscate the passwords by using a generic key. ...
    (Bugtraq)
  • Re: In child porn case, a digital dilemma
    ... passwords. ... By now PGP has ... poop" having only been invented in 1991 and updated since. ... The fastest way to break encryption is to ...
    (alt.true-crime)
  • Re: Attaching conditions to RIPA ?
    ... No more than a big safe is an indication of valuables inside, ... The vast majority of encryption ... I have very seldom written down my passwords or my PIN numbers. ... commit them to memory. ...
    (uk.legal)