To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.nntpOpen lugnet.admin.nntp in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / NNTP / 829
828  |  830
Subject: 
 Re: E-mail authentication during posting
Newsgroups: 
 lugnet.admin.nntp
Date: 
 Tue, 19 Jun 2001 13:10:06 GMT
Viewed: 
 536 times
  
On Tue, Jun 19, 2001 at 12:52:58PM +0000, Frank Filz wrote:
Some tricks could be played to make it more secure. One would be to scan
the message for the user's password and if it found it, but it didn't
seem to be part of an authenticator, bounce the message. It could also
use a fuzzy match for the authenticator, though it should bounce
messages which aren't perfect. There is also a trivial way to prevent
errors. Have a user config parameter which lets the user select inline
authentication or mailback authentication. If the password doesn't
match, the message will be bounced, not even submitted for mailback
authentication.

you can't have the server scan for the users password in the message, since
passwords arn't usually saved anywhere on the server at all.  So to check
for the password, each word, or combination of chars actually (since space
can be part of the password, I think), will have to be run through the one
way hash, and compared with the stored hash...  I can't imagine the server
load likeing this much...  Besides, what if I typo my password only slightly,
that would be enough to run a small brute force attack to guess it...

as for a config option restricting a user to use only inline password,
well, I don't like that too much - IMO there should always be a workable
default fallback...

but hey, my work habits are not like the typical user's, so this might
work for other people :)

--
Dan Boger / dan@peeron.com / www.peeron.com / ICQ: 1130750
<set:6950_1>:  Mobile Rocket Transport (LEGO/SYSTEM/Space/Classic), '82, 202 pcs, 2 figs



Message is in Reply To:
  Re: E-mail authentication during posting
 
(...) Some tricks could be played to make it more secure. One would be to scan the message for the user's password and if it found it, but it didn't seem to be part of an authenticator, bounce the message. It could also use a fuzzy match for the (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)

8 Messages in This Thread:



Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR