|
Posted by Alexander Mueller on 01/10/08 16:13
Ben C wrote:
>
> I was referring to the common practice of using one pet's name as a
> password.
Sorry, didnt notice the pun :).
>
> Some point in that yes, but really users shouldn't use the same password
> for different sites, or at least, should use one password for
> low-security unimportant sites and a different one for bank accounts.
I agree, but thats another point and they usually use the same password
for different sites.
>
>
> How does munging alter that situation? If he can replay the first access
> (by getting hold of the hash used) then won't he just get his very own
> replaysalt in just the same way?
>
> Can you describe an example, step-by-step, of a session in which the
> replaysalt provides some benefit that one-time session numbers don't?
1.) The user requests a site.
2.) The server sends the login form, issues a random replay salt and
stores it in a session.
3.) The user enters the necessary information.
4.) The browser hashes the entered password and hashes the result once
more with the replay salt.
5.) The server hashes the stored hash with the previously issued replay
salt and compares the result to the given value.
Alexander
[Back to original message]
|