WebApp Sec mailing list archives

Re: At what layer to hash a password

From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Sun, 18 Jul 2010 12:58:18 +0530

True about the keylogging part. However I'm just saying; a keylogger
might involve installation etc irrespective of the disk footprint size
while a RAM viewer might not. Agreed, if he is "local" he could
potentially do many things - but if you're looking to make your
"application" as secure as you can client side password hashing before
it goes over SSL isn't a bad thing.

Also I was talking more of replay attacks rather than reversing the
hash itself. So if it wasn't salted you could just replay the hash and
gain access. So a random salt generated by the server and then using
it on the client to hash data before it goes out will work.

Hope that clarifies things.

Cheers
Arvind



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

Re: At what layer to hash a password arvind doraiswamy (Jul 05)
- Re: At what layer to hash a password Chris Travers (Jul 05)
- Re: At what layer to hash a password Wil Clouser (Jul 06)
- Message not available
  - Re: At what layer to hash a password arvind doraiswamy (Jul 19)