Re: password hash, funny myth in the industry!

[phioust <phioust () gmail com>]

On 10/16/07, Bipin Gautam <gautam.bipin () gmail com> wrote:
> Consider the fact, many websites/forums don't use password hash+salt,
> just password hash( generally SHA1, MD5) that gets computer client
> side and POSTED to the web-forum for user authentication.


Is "computer" supposed to be "computed" ? Based on your post i think its
supposed to be and if so you are an idiot. The browser does not hash your
password in anyway nor is there directives to tell your browser to do so.
the clear text pass is sent in the post so of course you can sniff but at
this post says 1000s of username/password combos were dropped so who is
going to sniff all those machines?

instead just using the password hash itself
> manipulating the POST request.


The hash is not sent in the request - the clear text is and the server side
code (php,asp,whatever) hashes it before checking it against the databse.
you suck at life.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/