Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re^2: RFC / Audit: Mojo Login Example

by haukex (Bishop)
on Mar 23, 2020 at 07:35 UTC ( #11114562=note: print w/replies, xml ) Need Help??

in reply to Re: RFC / Audit: Mojo Login Example
in thread RFC / Audit: Mojo Login Example

Thank you for the thoughtful reply!

You don't want to expose the salt to the client - but without salt hashing doesn't give better security.

Yes, I should have been more clear on this - I would take a hash of only the password on the client side, say SHA-512 multiple times, and additionally do the same hashing+salt on the server. That way, the cleartext password is never seen by the server, and provided the hash isn't in a rainbow table somewhere, it adds a tiny bit more security.

All of your points are excellent, and yes, I see that perhaps a per-IP delay or lockout on too many attempts might even be better than the current implementation (in Mojo: $c->tx->remote_address). Even though I agree logging is very important, did leave it out of this example... but luckily Mojo makes it fairly easy to add: app->log->warn("..."), app->log->error("...") and so on, and it can be redirected into a database as well via the event mechanism built into Mojo::Log.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11114562]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (2)
As of 2022-05-22 03:28 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (78 votes). Check out past polls.