WebApp Sec mailing list archives
Re: At what layer to hash a password
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Sun, 18 Jul 2010 12:58:18 +0530
True about the keylogging part. However I'm just saying; a keylogger might involve installation etc irrespective of the disk footprint size while a RAM viewer might not. Agreed, if he is "local" he could potentially do many things - but if you're looking to make your "application" as secure as you can client side password hashing before it goes over SSL isn't a bad thing. Also I was talking more of replay attacks rather than reversing the hash itself. So if it wasn't salted you could just replay the hash and gain access. So a random salt generated by the server and then using it on the client to hash data before it goes out will work. Hope that clarifies things. Cheers Arvind This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Re: At what layer to hash a password arvind doraiswamy (Jul 05)
- Re: At what layer to hash a password Chris Travers (Jul 05)
- Re: At what layer to hash a password Wil Clouser (Jul 06)
- Message not available
- Re: At what layer to hash a password arvind doraiswamy (Jul 19)