Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re: Re: Re: Re: CGI and saving passwords

by flyingmoose (Priest)
on May 04, 2004 at 22:50 UTC ( #350623=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Re: CGI and saving passwords
in thread CGI and saving passwords

You're right, it is fairly academic ... md5 does have some known (but minor) collision problems, though.

At this point (or level of questioning), one also might want to understand 'plaintext equivalence', just to not get in the rut of 'it's not a password but it's as GOOD as a password'. Sending md5 hashes over plaintext http is a plaintext equivalence problem. Session ID's are best. I know of a certain app that doesn't send passwords, but you can sniff the transmissions, copy the packets, and use them in a "replay attack" -- because what is sent, though not the password, is just as good as a password.

Also see "challenge-response" type behavior (we're getting into overkill if you aren't dealing with shell accounts at this point) and maybe if you are really excited about this, read "Applied Cryptography" by Bruce S. I really don't claim to understand half of it, but it's a good skim during boring work telecoms -- and math is fun.

Really, most people don't need to worry about all of these vulnerabilities or potential vulnerabilities, but it is important to know when you do need to know, which unfortunately most people don't know when they need to know :)

  • Comment on Re: Re: Re: Re: CGI and saving passwords

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://350623]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2017-03-29 16:46 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (352 votes). Check out past polls.