[Catalyst] Storing a password hash with DBIC
Brandon Black
blblack at gmail.com
Thu Aug 10 17:47:24 CEST 2006
On 8/10/06, Mark Blythe <list at markblythe.com> wrote:
>
> I must be missing something here.
You're not missing something. The main gain of the simple version of
client-side hashing is that you don't know the original password. This is a
useful security feature for the user, because most users re-use passwords
all over the place. If you salt the hashes with your domain name or
something, the hashes in the db aren't useful for breaking into sites other
than your own either (which presumably they've already done if they have
access to your password store). The reason I offered the "simple" version
of client-side hashing is precisely because it gives a little bit of gain,
and is virtually painless to implement.
To get real security, it gets a bit more complicated to implement (although
someone probably could/will write a Catalyst plugin to handle all of this
eventually), the details are available at the same site I linked the
sha1.jssource at, just a little bit down the left-hand menu:
http://pajhome.org.uk/crypt/md5/auth.html
The "Alternative System" he describes halfway down that page solves most
basic security issues. It involves two layers of client-side hashing and a
challenge-response system that you could implement via ajax-style calls.
-- Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rawmode.org/pipermail/catalyst/attachments/20060810/a9208b26/attachment.htm
More information about the Catalyst
mailing list