M
Matt Baker
Guest
Peter, occasionally a request comes up to obfuscate the password, even running on HTTPS on the client before sending it to the server. I assume this is so that the password remains obfuscated even when travelling through an SSL enabled proxy. There is already an implementation that does built into web browsers: It is called HTTP Digest authentication. I dislike HTTP Digest authentication because it requires the server store the unencrypted form of the password in order to generate the same hash as the client (since it uses a nonce value for each auth request as part of the hash). Storing unencrypted passwords on the server is dangerous. Just ask Adobe (and dozens of other high profile companies). Passwords should never be stored as cleartext on the server. They should be hashed and salted with multiple rounds. There is cheat cheat on the OWASP wiki which has a long list of items to consider when performing authentication. www.owasp.org/.../Authentication_Cheat_Sheet
Continue reading...
Continue reading...