[Reality] Security Concerns

Glyph Lefkowitz glyph@twistedmatrix.com
Mon, 4 Oct 1999 13:26:24 -0400 (EDT)


How's this for a basic scheme for protecting passwords?

Server: VERSION
Client: 4
Server: 4
Server: XXYY
XX is the salt used on the server, YY is a new, randomly generated
two-character String.
Client: user_name
Client: crypt(crypt(user_password,XX),YY)

The server then runs crypt(stored_password,YY) and compares it to what's
just come in.

That way it's stored crypted, sent crypted, and different every time.  I
know it's weak protection cryptographically speaking, but mostly what I'm
thinking about is the packet sniffing of passwords by skript kiddiez.

----
The Tao is like a glob pattern:             It is masked but always present.
used but never used up.                     I don't know who built to it.
It is like the extern void:                 It came before the first kernel.
filled with infinite possibilities.         [glyph@twistedmatrix.com]