Re: At what layer to hash a password

[Wil Clouser <clouserw () gmail com>]

On Mon, Jul 5, 2010 at 2:09 AM, arvind doraiswamy
<arvind.doraiswamy () gmail com> wrote:
> a) At the client: Your main threat here is local access. If the app is
> public and people might access it from a public computer, there's a
> chance they might be able to steal it from the RAM. So some Javascript
> with a salted implementation of MD5 should work well here. The salt
> should be random though, otherwise you could just replay the MD5
> password and gain access..and you're back to square 1.

If you're concerned about a compromised client implementing client
side code is not the answer.  If someone can "steal it from RAM" they
can certainly just keylog it as I type it in too (or disable
JavaScript).

For 99% of web apps:  Use SSL for transport encryption, encrypt the
password in the app where you have more options than a db, and watch
for strange authentication activity (failed logins, multiple access,
geographic/IP distances, etc.).  Target what you can control and watch
for unusual trends - that will offer the most protection for your
customers.

Wil



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------