WebApp Sec mailing list archives
Re: At what layer to hash a password
From: Chris Travers <chris () metatrontech com>
Date: Mon, 28 Jun 2010 21:43:21 -0700
On Sat, Jun 26, 2010 at 10:02 AM, Javier Bassi <javierbassi () gmail com> wrote:
If I'm not wrong, some forums like vBulletin when you login, they send the password in md5 (using javascript). Thats better than sending it in plain/text.
Howso? In either case you have an observable value which can be submitted to the web server to gain access. Obfuscation != security. Either use SSL or a challenge/response authentication system of some sort. There really isn't a substitute beyond this. Best Wishes, Chris Travers This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- At what layer to hash a password Robin Wood (Jun 26)
- Re: At what layer to hash a password Chris Travers (Jun 28)
- Re: At what layer to hash a password Javier Bassi (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)
- RE: At what layer to hash a password Dave Wichers (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re: At what layer to hash a password Tom Ritter (Jun 28)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re:Re: At what layer to hash a password 薛 (Jun 29)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- RE: At what layer to hash a password Niels Teusink (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)