Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Re: Plaintext passwords?

by no_slogan (Deacon)
on Mar 23, 2002 at 17:58 UTC ( #153812=note: print w/ replies, xml ) Need Help??


in reply to Re: Plaintext passwords?
in thread We blame tye.

If a pass-phrase is lost, a new one can be generated and emailed to the monk using their public key.
That would be really cool except for one little problem: what happens if I forget the password to my private key? I used to do that regularly, because I didn't decrypt messages very often.
Now, when someone logs in, they first encrypt their pass-phrase with the monks public key, insert it into the pass-phrase text area and submit.
You need to prevent someone from capturing and reusing my encrypted password, too. See my comment on nonces elsewhere in this thread.
Of course we can still use our current cookie method of remembering who we are to limit the need for this.
If you do this, my cookie essentially becomes my password, because anyone who has my cookie can make the system think he's me. Cookies are stored in plaintext on the user's computer. Cookies are sent across the network in plaintext. Not good for security.
Beware, however, if we are at a location that doesn't have a tool for encryption, we won't be able to login.
I think this is a deal-breaker for most web apps.


Comment on Re: Re: Plaintext passwords?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://153812]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (7)
As of 2014-09-03 04:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (35 votes), past polls