WebApp Sec mailing list archives
Re: At what layer to hash a password
From: Wil Clouser <clouserw () gmail com>
Date: Mon, 5 Jul 2010 17:44:00 -0700
On Mon, Jul 5, 2010 at 2:09 AM, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
a) At the client: Your main threat here is local access. If the app is public and people might access it from a public computer, there's a chance they might be able to steal it from the RAM. So some Javascript with a salted implementation of MD5 should work well here. The salt should be random though, otherwise you could just replay the MD5 password and gain access..and you're back to square 1.
If you're concerned about a compromised client implementing client side code is not the answer. If someone can "steal it from RAM" they can certainly just keylog it as I type it in too (or disable JavaScript). For 99% of web apps: Use SSL for transport encryption, encrypt the password in the app where you have more options than a db, and watch for strange authentication activity (failed logins, multiple access, geographic/IP distances, etc.). Target what you can control and watch for unusual trends - that will offer the most protection for your customers. Wil This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Re: At what layer to hash a password arvind doraiswamy (Jul 05)
- Re: At what layer to hash a password Chris Travers (Jul 05)
- Re: At what layer to hash a password Wil Clouser (Jul 06)
- Message not available
- Re: At what layer to hash a password arvind doraiswamy (Jul 19)