Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re: žIs this a secure way to handle login?

by o(o_o)o (Scribe)
on Mar 27, 2002 at 16:27 UTC ( #154706=note: print w/replies, xml ) Need Help??

in reply to Is this a secure way to handle login?

one way you can get round the predict random numbers thing, is to:

  • Create a dictionary file of words, or use a portion of /usr/dict/words.
  • Create a random number however you wish
  • use the random number to index a word in the dictionary file
  • perform a hash function on the word
  • use that hash as the ID

    i think what would be alright, as long as you log all the currently "in use" hashes, then the hash can't be predicted even if someone predicts the random number used, because they don't know what dictionary file you use(because you havn't used a predictable part of the file eg. the first thousand), and also what hash function.

    well.. i think that'd work

    i would slit my wrists for you
    • Comment on Re: žIs this a secure way to handle login?
  • Replies are listed 'Best First'.
    Re: Re: žIs this a secure way to handle login?
    by maverick (Curate) on Mar 27, 2002 at 16:58 UTC
      One non-obvious addition. Don't use /usr/dict/words verbatim. Apache and most other web servers will announce what they are and what os they're on. With that piece of info, someone could find the same version of /usr/dict/words that you have and only have to guess your initial random number and hash function (because you'd probably be using one of the standard ones) to replicate your hash. Use a randomized version of /usr/dict/words. That way you have two random elements in play.

      perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"

    Re: Re: žIs this a secure way to handle login?
    by Molt (Chaplain) on Apr 11, 2002 at 13:14 UTC

      Just wondering, have you ever tried to implement this on a system which is hit a lot? To first view it looks as if it'd scale very badly, especially if the /usr/dict/words/or/whatever is read in and parsed on a per-request basis.

      I suspect the MD5 hash method would probably be easier and scale better?

    Log In?

    What's my password?
    Create A New User
    Node Status?
    node history
    Node Type: note [id://154706]
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others rifling through the Monastery: (3)
    As of 2018-07-22 05:33 GMT
    Find Nodes?
      Voting Booth?
      It has been suggested to rename Perl 6 in order to boost its marketing potential. Which name would you prefer?

      Results (452 votes). Check out past polls.