Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

How about this:

  • Store the hashed password on the server.
  • Hash the password on the client (using Javascript PasswdMD5 or something), then cat on a sufficiently random session ID and hash it again. Send that hash to the server.
  • The server takes the session ID, cats it onto its copy of the hashed password, hashes the result, and compares that hash to the one it got from the client.

So the server isn't keeping around any plaintext passwords, and the session ID acts as a one-time key to prevent replay attacks. For extra tasty goodness, you can do this through SSL to prevent attackers from sniffing the session ID, although unless they know the original password hash (which, since we're not storing the password in plaintext anywhere, is mildly unlikely) the worst damage they could do with a sniffed session ID is chuck a bogus hash back at the server and give the real user a "sorry, try again" message (if that).

I'm a bit leery of this system, because it seems too simple. Can you see any problems with it?

Update: Cacharbe expressed some doubts about the "sufficiently random" session ID. Basically, the idea is that the server picks a random integer (from /dev/random or something similar), keeps a copy, and sends it off to the client. Client hashes their password, cats the session ID onto the password, hashes _that_, and sends it back over the wire. Server cats the (same) session ID onto its hashed password for whoever the client claims to be, hashes it, and checks it against the hash it got back from the client.

The problem with this (which I only just saw -- augh!) is that the server's still storing information that can be used verbatim to attack a client account. If I can get the hashed password from the server, then I can just connect, get a session ID, and go from there. In short, it isn't really a step up from storing passwords in plaintext on the server. Oh well, back to the drawing board.


In reply to Re(3): Plaintext passwords? by FoxtrotUniform
in thread We blame tye. by Anonymous Monk

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others imbibing at the Monastery: (2)
    As of 2020-10-26 05:10 GMT
    Find Nodes?
      Voting Booth?
      My favourite web site is:

      Results (250 votes). Check out past polls.