[thelist] Login Screen Security

[John.Brooking at sappi.com]

>> On the salt exposure problem: Even if the cracker can sniff the salt (now
>> there's an image!), does it do him any good? It would certainly give him
a
>> much improved chance of guessing the password by running his guesses
>through
>> his own crypt function to positively identify a match with what he
>sniffed.
>> But he's still guessing passwords, so he's not any further ahead than if
>he
>> was guessing passwords at a regular login screen that submits via SSL,
>> right? It *is* kind of shame to protect the salt so well on the server
>side,
>> only to expose it on the client, but if it doesn't hurt us, is that
really
>a
>> problem?
>
> It's good to see the thought processes at work.

But wait! That's no good!! Now all the cracker has to do is write his own
form and send the same crypted string ("etqKJte.0e." or whatever) as he sees
in the stream. Doesn't matter what the original password was! Back to rule
#1: Don't trust anything from the client.

Damn.

Were you waiting to see how long it would take me to realize that?  :-)

- John

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.