http://www.perlmonks.org?node_id=153938


in reply to Web based password management (or how *not* to blame tye)

What you really would like is something like UNIX's crypt or some similar in javascript. The implementation is known, so it wouldn't be impossible, but I think it would be quite lengthy... which is a bad thing on the web. :)

Another approach that I have seen is that you randomly generate a password the first time too, and email that to the user. That way you can use better encryptions - but you face the same problems with non-encrypted email - if that is an issue, and without the javascript thingy, the user can't change his password.

The best solution should of course be to encrypt on the serverside and use SSL - but that has the drawbacks you mention above.

When retreiving lost passwords: Depending on what kind of users you have, you could possibly have the user that lost the password enter his/her email address instead, which will then be matched to a user and emailed just like above. Reason for this is, that on many sites, the usernames might be known, but not the email addresses. So the black hat dude would have to figure out a valid email first, and then succeed in sniffing it (unless PGP is also on, in which case it hardly matters). Drawback is that some users tend to forget what email they signed up with...

And of course, as people will point out, demanding javascript will shut some out, and make others angry. But if that is the rules of the site - hey it is your site after all, and personally I wouldn't mind at all if it had good reasons.

Some good thoughts there, but it would seem that for tight security, there is no good replacement for encrypting all the traffic, which has lots of penalties in performance, price etc.

One also always must ask oneself what is a reasonable security level for the particular site, and weigh risk/gain against each other.


You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.