[Reality] Security Concerns

[James Knight]

At 1:26 PM -0400 10/4/99, Glyph Lefkowitz wrote:
>Client: crypt(crypt(user_password,XX),YY)
>
>The server then runs crypt(stored_password,YY) and compares it to what's
>just come in.
>
>That way it's stored crypted, sent crypted, and different every time.  I
>know it's weak protection cryptographically speaking, but mostly what I'm
>thinking about is the packet sniffing of passwords by skript kiddiez.

This is essentially the same as storing a plaintext password, except that
the actual text isn't known. Anyone who can read the password out of the
mapfile can then login using that user [just read crypt(password, XX) from
the file, and then send crypt(read_password, YY) to the server]. Now, it
may be that this is deemed an okay sacrifice, but lets just be clear about
what security actually exists here. As in previous schemes that have been
proposed, this adds protection over the wire, but removes it locally.
-James

--
You are in a maze of testy little Java VMs, all subtly different.