WebApp Sec mailing list archives

Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)

From: Thomas Chiverton <thomas.chiverton () bluefinger com>
Date: Wed, 17 Aug 2005 09:18:57 +0100

On Wednesday 17 August 2005 05:52, Noam Eppel wrote:

If you are implementing a one-way hash correctly, there should be no need
to store the plaintext passwords. All that should be stored is the
resulting hash of each password.


Yes, but in order to hash the password, the web page must ask the user for it, 
which means it is still vulnerable to sniffing.

-- 

Tom Chiverton 
Advanced ColdFusion Programmer

Current thread:

Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 16)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Noam Eppel (Aug 16)
  - Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Oleg Topchiy (Aug 17)
    - Re: Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Chuck (Aug 17)
    - Re: MD5 Password encoding, "straight" vs "salted" hashes Peter Watkins (Aug 17)
  - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Cyrill Osterwalder (Aug 17)
  - RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Bond Masuda (Aug 17)
  - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Gary Gwin (Aug 18)
    - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Jean-Jacques Halans (Aug 22)
    - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Serban Ghita (Aug 23)
- Re: RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 17)