Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
What you really would like is something like UNIX's crypt or some similar in javascript. The implementation is known, so it wouldn't be impossible, but I think it would be quite lengthy... which is a bad thing on the web. :)

Another approach that I have seen is that you randomly generate a password the first time too, and email that to the user. That way you can use better encryptions - but you face the same problems with non-encrypted email - if that is an issue, and without the javascript thingy, the user can't change his password.

The best solution should of course be to encrypt on the serverside and use SSL - but that has the drawbacks you mention above.

When retreiving lost passwords: Depending on what kind of users you have, you could possibly have the user that lost the password enter his/her email address instead, which will then be matched to a user and emailed just like above. Reason for this is, that on many sites, the usernames might be known, but not the email addresses. So the black hat dude would have to figure out a valid email first, and then succeed in sniffing it (unless PGP is also on, in which case it hardly matters). Drawback is that some users tend to forget what email they signed up with...

And of course, as people will point out, demanding javascript will shut some out, and make others angry. But if that is the rules of the site - hey it is your site after all, and personally I wouldn't mind at all if it had good reasons.

Some good thoughts there, but it would seem that for tight security, there is no good replacement for encrypting all the traffic, which has lots of penalties in performance, price etc.

One also always must ask oneself what is a reasonable security level for the particular site, and weigh risk/gain against each other.

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

In reply to Re: Web based password management (or how *not* to blame tye) by Dog and Pony
in thread Web based password management (or how *not* to blame tye) by maverick

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or or How to display code and escape characters are good places to start.
Log In?

What's my password?
Create A New User
Domain Nodelet?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2022-05-27 16:29 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (97 votes). Check out past polls.