Re: Encryption Question
- From: "Bart Van der Donck" <bart@xxxxxxxxxx>
- Date: 14 Mar 2007 13:07:20 -0700
shimmyshack wrote:
On 14 Mar, 19:10, "Bart Van der Donck" <b...@xxxxxxxxxx> wrote:
Changing password:
- let user type the current password and his
new requested password,
encrypt both
- do something like: getnewpass.asp?
oldEncPW=gH4tGhKLNx&newEncPW=yHjke4c5Wu
- compare oldEncPW to stored string; if it matches, then
delete old string and store the new one
thus the man-in-the-middle would now know the password hash
being stored in the database.
Now he can request to login, and send
sha1( password_hash_he_sniffed + salt)
now despite not knowing the password the attacker gets in
from that point onward.
Yes, HTTPS should be added. See my reply to myself some minutes ago.
For the rest, my model should be secure if one uses a one-way
encryption in javascript, both for the authentication as for the
password change.
Of course, once HTTPS is there, one could send the password in
plaintext as well, and let the server application encrypt it before
storing it (which would be the more traditional authentication
scheme).
--
Bart
.
- Follow-Ups:
- Re: Encryption Question
- From: shimmyshack
- Re: Encryption Question
- References:
- Encryption Question
- From: eggie5@xxxxxxxxx
- Re: Encryption Question
- From: David Dorward
- Re: Encryption Question
- From: Bart Van der Donck
- Re: Encryption Question
- From: eggie5@xxxxxxxxx
- Re: Encryption Question
- From: Bart Van der Donck
- Re: Encryption Question
- From: shimmyshack
- Encryption Question
- Prev by Date: Re: addition
- Next by Date: Need javascript to create quiz where user chooses correct passage inside a pdf?
- Previous by thread: Re: Encryption Question
- Next by thread: Re: Encryption Question
- Index(es):
