Well, first of all, they have a user name, so that's an advantage they don't need. Further, if they can research the user using the user name, they can now use the username to start guessing reasonable passwords.

As an aside, I once discovered that someone was doing something online that was violating the terms of service on a Web site. They had a very unusual username and it took me all of two minutes to track them down using http://www.google.com. If I was more inclined to be a bad person, this could have been the start of something ugly (I wound up finding code samples they had written and Web sites that were using them). Instead, I sent them an email asking them to stop what they were doing and they did, replying that it was a "mistake". User names shouldn't be given out freely unless the person who has the user name knows it's being given out (such as on Perlmonks).

As for the "crypted" password, if you're using the crypt function, the then salt is embedded in the first two characters and the cracker runs a standard "crack" utility on the password (again made simpler because having the username may make it easier it determine what sort of password might be used -- you merely feed the new information into the wordlist the crack utility uses). Even if the password is "encrypted", or a digest is used, it's still possible to attack the password and try to crack it. There's no point in allowing the possibility of this happening if you can avoid it.

If the attacker has managed to get a cookie without physical access to the person's box, then this suggests that they may using any of a number of techniques that could allow them to obtain more than one crypted password. If so, it only takes one weak password to start a cascading chain of vulnerabilities being exposed.

Question: just out of curiosity, what would happen if I sniffed someone's cookie and I were to submit it myself? Would I then have access to the system? Once again, there's a potential security hole open there. I'd personally recommend using a timed anonymous session id as the cookie's value, rather than something which is potentially a vulnerability.

For more information, you can read merlyn's column on basic cookie management. I think you will find it very informative.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to Re: Re: (not so) Invisible Cookies by Ovid
in thread Invisible Cookies by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.