Penetration Testing mailing list archives
Re: username and Password sent as clear text strings
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Wed, 21 May 2008 09:53:01 +0530
@Marvin: I was talking of a salted hash where not even the client knows what salt is going to be used coz it will be a rand() function which will get called. And no the server must not be allowed to accept just a plain text password -- it rarely happens that way because it will run the hash() over the Plain text and wont get what it wants. You will need to send the hash which you now cannot predict because of teh salt. Then again if the slat also gets captured as you say -- due to a lack of https its game over. I never said this is a replacement for HTTPS -- it is just defense in depth I am talking about. Cheers Arvind ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: username and Password sent as clear text strings, (continued)
- Re: username and Password sent as clear text strings arvind doraiswamy (May 18)
- Re: username and Password sent as clear text strings Orlin Gueorguiev (May 18)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 18)
- RE: username and Password sent as clear text strings Marvin Simkin (May 19)
- Re: username and Password sent as clear text strings jfvanmeter (May 19)
- Re: username and Password sent as clear text strings christopher . riley (May 19)
- Re: username and Password sent as clear text strings jfvanmeter (May 21)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 22)
- RE: username and Password sent as clear text strings John Babio (May 22)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 22)
- Re: username and Password sent as clear text strings jfvanmeter (May 21)
- Re: username and Password sent as clear text strings arvind doraiswamy (May 21)
- RE: username and Password sent as clear text strings jfvanmeter (May 22)
- Re: username and Password sent as clear text strings arvind doraiswamy (May 18)