Re: Login credentials and session id security

[Shaon Diwakar <shaon.diwakar () yahoo com au>]

Hi, 

Hashing a users password protects against the transmission of sensitive data in clear text (accidental or otherwise) - 
again, it is simply one of several controls/safeguards developers can employ to discourage attacks by a malicious 
individual (I agree however that it does not provide any 'real' security on the clients side - as keystrokes are easily 
logged and memory easily analysed). 

Using HTTPS on logon pages reduces the likelihood of that users password/user id being captured in transit - however if 
an attacker were savvy enough to for example 'suck packets out of a proxy' - they would have already won - that is to 
say, they would already have that users session ID (assuming again that transmission was done over an unencrypted 
channel) and it would simply be a matter of replaying that session cookie back to the application server (while the 
session remains active) to gain access to that web application.

Web applications are stateless, so the only way for an application server to know who you are is through your session 
ID. Thus it is important that all efforts be directed towards safe guarding a users session ID - be it using hashing, 
using tokens or some other mechanism.

Cheers,
sHz

----- Original Message ----
From: James Landis <jcl24 () cornell edu>
To: scottsanchez () gmail com
Cc: Vishal Garg <vishal () firstbase co uk>; webappsec () securityfocus com
Sent: Tuesday, 12 June, 2007 12:27:56 AM
Subject: Re: Login credentials and session id security

Theoretically, this adds no security. In practice, however, it might
actually provide some security. If the attacker is just trolling for
arbitrary plaintext usernames/passwords in POST requests, encrypting
the password on the client side before sending it will defeat him. If
the attacker is specifically trying to capture the password for your
site, he will likely be able to capture the secret sent to the client
in order to encrypt the password.

As usual, there are probably better ways to invest your development
time to improve the security of the app.

-j

On 6/8/07, Scott C. Sanchez <scottsanchez () gmail com> wrote:
> I don't see how salting or hashing the password in the client prior to
> submitting it will make it more secure.  Anyone savvy enough to suck
> your packets out of the proxy and make sense of them would just look
> at the login page to find the key for the hash or salt.
>
> One time passwords or a token-based solution like securid or mypw are
> your best solution IMO.
>
> -Scott





-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------