If a pass-phrase is lost, a new one can be generated and emailed to the monk using their public key.
That would be really cool except for one little problem: what happens if I forget the password to my private key? I used to do that regularly, because I didn't decrypt messages very often.
Now, when someone logs in, they first encrypt their pass-phrase with the monks public key, insert it into the pass-phrase text area and submit.
You need to prevent someone from capturing and reusing my encrypted password, too. See my comment on nonces elsewhere in this thread.
Of course we can still use our current cookie method of remembering who we are to limit the need for this.
If you do this, my cookie essentially becomes my password, because anyone who has my cookie can make the system think he's me. Cookies are stored in plaintext on the user's computer. Cookies are sent across the network in plaintext. Not good for security.
Beware, however, if we are at a location that doesn't have a tool for encryption, we won't be able to login.
I think this is a deal-breaker for most web apps.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|