[thelist] Login Screen Security?
Joshua Olson
joshua at waetech.com
Wed Nov 12 12:18:29 CST 2003
----- Original Message -----
From: <John.Brooking at sappi.com>
Sent: Monday, November 10, 2003 5:41 PM
> * Is the Perl "crypt" function (which says it works exactly like the
> crypt(3) function in the C library) a sufficient means of encrypting the
> password?
Yes, I'd think so.
> I'm letting the administrator set a "salt" value in the software
> configuration file, and when a password comes in from the login screen, I
> encrypt it with the same "salt" and compare the result to the encrypted
> value in the users file. Sound okay?
Great idea.
> * If my login screen is not going through an SSL layer, is that a
> hole?
Yes, it's a hole, unless you encrypt the form value via client-side
scripting before submittal. This may or may not be tough if you don't wish
to expose the salt value.
<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com
706.210.0168
More information about the thelist
mailing list