You are here: Re: New Input type proposal « HTML « IT news, forums, messages
Re: New Input type proposal

Posted by Ben C on 01/10/08 15:41

On 2008-01-10, Alexander Mueller <noemail@example.org> wrote:
> Ben C wrote:
>>
>> All you're protecting is the identities of people's pets. There is
>> however some value in this as some users may use the same password for
>> lots of websites.
>
> Well, I wouldnt really call a password a pet,

I was referring to the common practice of using one pet's name as a
password.

> but thats the point, the password itself should never have to leave
> the client in its plain text.

Some point in that yes, but really users shouldn't use the same password
for different sites, or at least, should use one password for
low-security unimportant sites and a different one for bank accounts.

>> Can he? I thought root could change anyone's password to something else
>> and log in to their account, but he can't see their actual password. The
>> actual password is not stored anywhere, so no-one can reveal it.
>
> Out-of-the-box usually not, however it is not too difficult to implement
> a code-injection into the particular libraries to get the password.

Well there are all sorts of ways to get the password. The easiest is
usually just to read it from the post-it note stuck to the computer.

In principle, assuming no malfeasance, the administrator cannot reveal
the password.

>> Well you make each special number one-time use only. You use it once and
>> then get given another one, which you can also use only once.
>> Fortunately there are plenty of numbers.
>>
>> If the number is not use-once then munging it with the password doesn't
>> help. The replay-attacker just needs to capture the munged
>> password+number.
>
> Yes, but an attacker would get his very own special number as well, so
> if the values arent "munged", he would only need to supply his number
> along with the password and there you go.

How does munging alter that situation? If he can replay the first access
(by getting hold of the hash used) then won't he just get his very own
replaysalt in just the same way?

Can you describe an example, step-by-step, of a session in which the
replaysalt provides some benefit that one-time session numbers don't?

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация