forms and secure authentication
Brian Andresen
brian at techsoln.com
Thu Nov 21 12:14:17 PST 2002
On 11/21/02, Brad Marsh <research4 at snowcrest.net> wrote:
>Auth Scheme
>Person logs in with username "username", password "greatPassword".
> Web page javascript creates MD5 has from password before sending to server.
>Only encrypted password is sent, and that only once.
> http://pajhome.org.uk/crypt/md5/
>
> #security script:
> gets userid, password, projid from EvenStart MySQL database (password is
>stored MD5 hashed)
> compares the two encrypted passwords
> script fails if not identical
Hi Brad,
This really isn't any more secure than simply sending the password in the clear. (The one advantage is that for people who use the same password for many different services, a successful attacker could impersonate them only for this service, and would not gain the actual password which could be used elsewhere. So this is a step better than sending a cleartext password.)
Using an appropriately positioned packet sniffer or a "man in the middle" approach, someone would get the exact information they need to replay the authentication. So you send a hash of the password instead of what the user typed in -- well, what would an impersonator need to send to the server? The actual password? No, only the hash of the password, which is exactly what is in hand.
Feel free to correct me if I've misunderstood.
Regards,
-Brian
More information about the Frontier-Users
mailing list