|
|
Posted by Cord-Heinrich Pahlmann on 01/10/07 08:36
David T. Ashley schrieb:
> Well, in English, that last paragraph is called "fishing for compliments".
> You secretly know your English is just fine, and you secretly want us to say
> that.
>
> Your English is just fine.
I think my English is OK, but it is not good enough to explain my
script the way I wanted to.
See below. I have to explain a lot of things because I couldn't get it
right the first time.
> STORAGE OF PASSWORDS:
>
> Modern doctrine is that passwords are NEVER stored plain or in a reversible
> way. The hash that you store should be the hash of the concatenation of:
>
> a)A key known only to the server (500 characters of random text in a file is
> fine).
>
> b)The password.
>
> c)And (a) and (b) should be repeated a few times, i.e. A + B + A + B + A + B
> + A, at least.
>
> In order for an attacker to do anything, it is required that:
>
> a)The key be compromised.
>
> b)The stored hash be compromised.
>
> c)The algorithm be compromised (although concatenation and hashing isn't
> hard to guess).
>
> d)And even once that condition is met, the best that can be mounted is a
> dictionary attack.
>
Thanks for the cause for thought. I will definitely implement this in
my project and all the future ones.
> LOST PASSWORDS:
>
> As another poster pointed out, best practice is to reset the password to a
> random new one and e-mail it to the user. A good system is to keep two
> passwords (permanent + timed temporary) so that one user can't disable
> another's account by using the "lost password" functionality. He can only
> generate nuisance e-mail.
>
> The user shouldn't be "stuck" with the random password, he should then be
> able to change it.
I realize that. Thats how I programmed all my web applications. I'm
always annoyed when I forget a password and get my real password send
back from a webapplication (shows that they probably store my password
in clear-text in their db).
But that's not the point of my script. I doesn't help me not to forget
my passwords (I can retrieve them from the third-party webpage if I
forget it). It is supposed to get me access to all the forum- and
blog-pages (whereever I am). And it loggs me into those pages.
[Back to original message]
|