|
|
Posted by Jerry Stuckle on 10/14/07 14:59
ChrisMHodgson@gmail.com wrote:
> Hi
>
> I am looking to implement a login form where the user is requested to
> enter specific characters from their password rather than the full
> password (ie like most online banks implement login forms).
>
> The reason for this is to avoid a keylogger running on the client pc
> from getting hold of the users password.
>
> In order to check individual characters of a password i would need to
> store each character separately in the DB.
>
> This presents a security problem if the DB is accessed by a hacker as
> even if the characters were hashed with a salt using MD5 or whatever,
> it would be very easy to identify them, as there are only a small
> range of possibilities [a-zA-Z0-9]
>
> Assuming the hacker knew the salt and hashing method, they could
> easily crack the password.
>
> So my question is, has anyone thought of a good way to store
> individual characters from a password in the DB.
>
> thanks
> Chris
>
>
Nope,
If your server is hacked, they will have access to the database and the
code you use to encrypt/decrypt passwords. And there's nothing you can
do about it except keep your system from being hacked.
That's why one-way hashes are so popular - even if your system does get
hacked, they can't decrypt the passwords. However, in a case such as
yours, it won't work well, as you noted.
Another consideration is will people actually count out their password
to get the right character? I suspect most people won't bother.
You seem to be wanting perfect security. There is no such thing. SSL
works well for communications, but if the server or client is hacked,
there's not a lot you can do.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|