|
|
Web Application Security
At what layer to hash a password Jun 21 2010 01:06PM Robin Wood (robin digininja org) (5 replies) RE: At what layer to hash a password Jun 28 2010 08:37PM Niels Teusink (teusink fox-it com) (1 replies) RE: At what layer to hash a password Jun 26 2010 07:26PM Dave Wichers (dave wichers aspectsecurity com) (1 replies) Re: At what layer to hash a password Jun 26 2010 05:02PM Javier Bassi (javierbassi gmail com) (1 replies) |
|
Privacy Statement |
> You covered several of the arguments: the password moving down the
> stacks and being intercepted there, the maintainability.
>
> But there's two more things I'd raise. First off, you really shouldn't
> be hashing your passwords. It's better to use something I don't know
> the correct term for (I've heard adaptive hashing and iterative hashing.
> I usually just call them by name).
I agree on not hashing.
Short of mentioning encryption in the transport layer (which is a must
in any such scenario), by far the most secure method involving passwords
known to me would be a challenge/response mechanism which completely
eliminates the need to transfer any kind of sensitive information over
the wire.
If the client produces the right token, the response to the challenge
will be identical to the one that the server calculated based on the PSK
at hand and the authentication can be thought of successful.
Regards,
--
Grega Bremec
gregab at p0f dot net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkwoY2UACgkQu0GVGrwRwC5gbACdF5fjJgp1oXLnaE2NxLFNpyAq
360AnA+7slWm3QtnFBgoM2fNrMuGqShI
=aITi
-----END PGP SIGNATURE-----
[ reply ]