Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

    Unfortunately, storing the crypted version of the password on the server means that the client has to send the password to the server in plaintext. Either you hide that with SSL, or you accept the fact that you have no real security.

    If you try to protect the password in transit by using something like HTTP digest authentication, then you have to store the password (or some equivalent secret information) in plaintext on the server. Which is the bigger vulnerability?

Some excellent points, no_slogan. It's kind of depressing that the current state of the art, as far as anything common enough to be useful goes, relies so much on plaintext passwords. (Although you might be able to get the client to hash the password before sending it over the wire, using a browser plugin of some sort. Provided that you trust the plugin.)

Is there a better way of doing user authentication for sites like PerlMonks out there that doesn't rely on pie-in-the-sky technology? (Preferably something that doesn't involve shared secrets, which IMHO are just too much trouble.) Having the client hash the password before sending it over the wire is a start, but doesn't help much if the server isn't who the client thinks it is, since the attacker can just play back the password hash at the real server.

I'd look up some ideas, but my copy of Applied Crypto is at home, and I'm not. Anyone else?

--
:wq


In reply to Re: Plaintext passwords? by FoxtrotUniform
in thread We blame tye. by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (2)
As of 2022-05-19 02:40 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (71 votes). Check out past polls.

    Notices?