[Reality] Security Concerns
Glyph Lefkowitz
glyph@twistedmatrix.com
Mon, 4 Oct 1999 13:26:24 -0400 (EDT)
How's this for a basic scheme for protecting passwords?
Server: VERSION
Client: 4
Server: 4
Server: XXYY
XX is the salt used on the server, YY is a new, randomly generated
two-character String.
Client: user_name
Client: crypt(crypt(user_password,XX),YY)
The server then runs crypt(stored_password,YY) and compares it to what's
just come in.
That way it's stored crypted, sent crypted, and different every time. I
know it's weak protection cryptographically speaking, but mostly what I'm
thinking about is the packet sniffing of passwords by skript kiddiez.
----
The Tao is like a glob pattern: It is masked but always present.
used but never used up. I don't know who built to it.
It is like the extern void: It came before the first kernel.
filled with infinite possibilities. [glyph@twistedmatrix.com]