Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Re: Re: Plaintext passwords?

by no_slogan (Deacon)
on Mar 23, 2002 at 17:58 UTC ( #153812=note: print w/replies, xml ) Need Help??

in reply to Re: Plaintext passwords?
in thread We blame tye.

If a pass-phrase is lost, a new one can be generated and emailed to the monk using their public key.
That would be really cool except for one little problem: what happens if I forget the password to my private key? I used to do that regularly, because I didn't decrypt messages very often.
Now, when someone logs in, they first encrypt their pass-phrase with the monks public key, insert it into the pass-phrase text area and submit.
You need to prevent someone from capturing and reusing my encrypted password, too. See my comment on nonces elsewhere in this thread.
Of course we can still use our current cookie method of remembering who we are to limit the need for this.
If you do this, my cookie essentially becomes my password, because anyone who has my cookie can make the system think he's me. Cookies are stored in plaintext on the user's computer. Cookies are sent across the network in plaintext. Not good for security.
Beware, however, if we are at a location that doesn't have a tool for encryption, we won't be able to login.
I think this is a deal-breaker for most web apps.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://153812]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (7)
As of 2022-01-22 12:21 GMT
Find Nodes?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:

    Results (62 votes). Check out past polls.