Subject:
|
Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Sat, 22 Apr 2000 18:49:35 GMT
|
Viewed:
|
2834 times
|
| |
|
|
In lugnet.admin.general, Jeremy H. Sproat writes:
> In lugnet.admin.general, Todd Lehman writes:
> > In lugnet.admin.general, Richard Franks writes:
> > > Even if you have great passwords - can't just anyone in the intervening
> > > networks between the user and LUGNET just snoop in and copy down the
> > > unencrypted password?
> > As long as it's using http and not https, yes. Once it's in a cookie, it's
> > no longer plaintext, so it's less susceptible to snooping although still
> > susceptible to playback attacks.
>
> Aren't the contents of a cookie simply Base64-encoded? I mean, it's a
> wel-known and reversable format.
No, the last phase of encoding (and thus the first phase of decoding) for
the sign-in cookie is a Base16 (ASCII hex [0-9A-F]) pass. This, however, is
applied to an already-encrypted id/pw combo, which has been passed through a
pad-style encryption which changes each time you ask for a sign-in cookie.
(Thus, you'll never get the same cookie twice even if your password stays the
same.) On the receiving end, after the server decrypts your cookie, it then
reencrypts this data a different way (on the fly) and compares this with the
encrypted version on file in the encrypted-pw table. Thus no raw pw's are
stored anywhere.
--Todd
|
|
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
