[thelist] Login Screen Security
John.Brooking at sappi.com
John.Brooking at sappi.com
Wed Nov 12 12:37:58 CST 2003
Thanks for the response, Josh. I was just preparing a follow-up on some
client-side JavaScript I found which implements crypt, but your message sort
of beat me to the punch.
On the salt exposure problem: Even if the cracker can sniff the salt (now
there's an image!), does it do him any good? It would certainly give him a
much improved chance of guessing the password by running his guesses through
his own crypt function to positively identify a match with what he sniffed.
But he's still guessing passwords, so he's not any further ahead than if he
was guessing passwords at a regular login screen that submits via SSL,
right? It *is* kind of shame to protect the salt so well on the server side,
only to expose it on the client, but if it doesn't hurt us, is that really a
problem?
I'll incorporate our conclusions, with a URL to the client-side crypt code,
into a tip.
- John
This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.
More information about the thelist
mailing list