Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: username and Password sent as clear text strings

From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Wed, 21 May 2008 09:53:01 +0530
@Marvin: I was talking of a salted hash where not even the client
knows what salt is going to be used coz it will be a rand() function
which will get called. And no the server must not be allowed to accept
just a plain text password -- it rarely happens that way because it
will run the hash() over the Plain text and wont get what it wants.
You will need to send the hash which you now cannot predict because of
teh salt. Then again if the slat also gets captured as you say -- due
to a lack of https its game over. I never said this is a replacement
for HTTPS -- it is just defense in depth I am talking about.

Cheers
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: