|
|
Posted by Alexander Mueller on 01/10/08 11:10
Ben C wrote:
>
> All you're protecting is the identities of people's pets. There is
> however some value in this as some users may use the same password for
> lots of websites.
Well, I wouldnt really call a password a pet, but thats the point, the
password itself should never have to leave the client in its plain text.
>
> Can he? I thought root could change anyone's password to something else
> and log in to their account, but he can't see their actual password. The
> actual password is not stored anywhere, so no-one can reveal it.
Out-of-the-box usually not, however it is not too difficult to implement
a code-injection into the particular libraries to get the password.
>
> Well you make each special number one-time use only. You use it once and
> then get given another one, which you can also use only once.
> Fortunately there are plenty of numbers.
>
> If the number is not use-once then munging it with the password doesn't
> help. The replay-attacker just needs to capture the munged
> password+number.
Yes, but an attacker would get his very own special number as well, so
if the values arent "munged", he would only need to supply his number
along with the password and there you go.
Alexander
Navigation:
[Reply to this message]
|