Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^2: What happened?

by ysth (Canon)
on Aug 03, 2009 at 00:36 UTC ( #785308=note: print w/ replies, xml ) Need Help??


in reply to Re: What happened?
in thread What happened?

Since every request authenticates by cookie, everything would need to be https, not just the login page. And as far as I can see, that ain't gonna happen.

Update: or, as tye says, we'd do something quite different with cookies.


Comment on Re^2: What happened?
Re^3: What happened? (https)
by tye (Cardinal) on Aug 03, 2009 at 04:49 UTC

    True, for our current cookies.

    But the cookie shouldn't depend on the password itself. The cookie should be more like a cryptographic hash of something including the hashed password. So sniffing the cookie would not get you very far. You'd have to learn the "secret" string and then reverse a hash function and that would then only get you the hashed password.

    The 'login' page should be https://. I've long wanted that. That'd also mean getting rid of the "login nodelet".

    Also, a good password hashing function takes significant CPU time. There is a balance to be struck there. Making op=login a very convenient denial-of-service attack point is a bad idea. We might want to implement a "you recently tried to log in (from this IP address or for this username), please wait before trying again" response, which means we only need to worry about attacks from botnets. Surely that would never happen. /:

    - tye        

      I'm pretty sure you are aware of this, but to avoid confusion from people reading this later...

      You'd have to learn the "secret" string and then reverse a hash function and that would then only get you the hashed password.

      If we are really talking about the cookie being a cryptographic hash of something and a hashed password, the phrase reverse the hash describes an extremely hard problem. Reversing any cryptographic hash should be computationally infeasible.

      G. Wade

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://785308]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2014-12-21 06:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (104 votes), past polls