[thelist] Login Screen Security?

John.Brooking at sappi.com John.Brooking at sappi.com
Mon Nov 10 16:41:21 CST 2003


Howdy, all,

   Please pardon another couple of semi-newbie security questions from me.
(I'm beginning to feel that you can probably track my coding progress by the
questions I'm asking at the time.)

   So I've added some security to my app, based on having a file of
usernames and encrypted
passwords. Two questions:

*	Is the Perl "crypt" function (which says it works exactly like the
crypt(3) function in the C library) a sufficient means of encrypting the
password? I'm letting the administrator set a "salt" value in the software
configuration file, and when a password comes in from the login screen, I
encrypt it with the same "salt" and compare the result to the encrypted
value in the users file. Sound okay?
*	If my login screen is not going through an SSL layer, is that a
hole? Because it seems to me that if a cracker was sniffing the line, and
saw a POST request from a page called login.html, with parameters of
"username" and "password", in plain text, what is to stop him (or her) from
then going to the site and logging himself in with the same username and
password? (Or I could call the page and the parameters something different
to be misleading, but that would be "security by obscurity", right?)

- John
------------------------
Apologies, as always, for lengthy automatic company-appended disclaimer
------------------------

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 


More information about the thelist mailing list