in reply to Web based password management (or how *not* to blame tye)
Passing the password as an MD5 hash
isn't any better than passing it in the clear,
if it weren't done over SSL. Just thought I'd
point it out and make it explicit.
I've done something similar in the past. If we wanted to be truly paranoid we'd implement S/Key. (I wish I had my JavaScript S/Key implementation working, maybe someday...).
UPDATE: Some reading on S/Key; RFC 1938, RFC 2289
--
perl -pe "s/\b;([st])/'\1/mg"
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re: Web based password management (or how *not* to blame tye)
by maverick (Curate) on Mar 24, 2002 at 21:43 UTC | |
by belg4mit (Prior) on Mar 24, 2002 at 21:45 UTC |
In Section
Meditations