WebApp Sec mailing list archives
Re:Re: At what layer to hash a password
From: 薛 <deco1987 () 126 com>
Date: Tue, 29 Jun 2010 09:48:44 +0800 (CST)
快捷回复给:Grega Bremec, webappsec
On Sat, 2010-06-26 at 07:13 -0400, Tom Ritter wrote:You covered several of the arguments: the password moving down the stacks and being intercepted there, the maintainability. But there's two more things I'd raise. First off, you really shouldn't be hashing your passwords. It's better to use something I don't know the correct term for (I've heard adaptive hashing and iterative hashing. I usually just call them by name).I agree on not hashing. Short of mentioning encryption in the transport layer (which is a must in any such scenario), by far the most secure method involving passwords known to me would be a challenge/response mechanism which completely eliminates the need to transfer any kind of sensitive information over the wire. If the client produces the right token, the response to the challenge will be identical to the one that the server calculated based on the PSK at hand and the authentication can be thought of successful. Regards, -- Grega Bremec gregab at p0f dot net
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- At what layer to hash a password Robin Wood (Jun 26)
- Re: At what layer to hash a password Chris Travers (Jun 28)
- Re: At what layer to hash a password Javier Bassi (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)
- RE: At what layer to hash a password Dave Wichers (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re: At what layer to hash a password Tom Ritter (Jun 28)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re:Re: At what layer to hash a password 薛 (Jun 29)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- RE: At what layer to hash a password Niels Teusink (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)