Hi,
Hashing a users password protects against the transmission
of sensitive data in clear text (accidental or otherwise) -
again, it is simply one of several controls/safeguards
developers can employ to discourage attacks by a malicious
individual (I agree however that it does not provide any
'real' security on the clients side - as keystrokes are
easily logged and memory easily analysed).
Using HTTPS on logon pages reduces the likelihood of that
users password/user id being captured in transit - however
if an attacker were savvy enough to for example 'suck
packets out of a proxy' - they would have already won - that
is to say, they would already have that users session ID
(assuming again that transmission was done over an
unencrypted channel) and it would simply be a matter of
replaying that session cookie back to the application server
(while the session remains active) to gain access to that
web application.
Web applications are stateless, so the only way for an
application server to know who you are is through your
session ID. Thus it is important that all efforts be
directed towards safe guarding a users session ID - be it
using hashing, using tokens or some other mechanism.
Cheers,
sHz
----- Original Message ----
From: James Landis <jcl24 cornell.edu>
To: scottsanchezgmail.com
Cc: Vishal Garg <vishalfirstbase.co.uk>;
webappsecsecurityfocus.com
Sent: Tuesday, 12 June, 2007 12:27:56 AM
Subject: Re: Login credentials and session id security
Theoretically, this adds no security. In practice, however,
it might
actually provide some security. If the attacker is just
trolling for
arbitrary plaintext usernames/passwords in POST requests,
encrypting
the password on the client side before sending it will
defeat him. If
the attacker is specifically trying to capture the password
for your
site, he will likely be able to capture the secret sent to
the client
in order to encrypt the password.
As usual, there are probably better ways to invest your
development
time to improve the security of the app.
-j
On 6/8/07, Scott C. Sanchez <scottsanchezgmail.com> wrote:
> I don't see how salting or hashing the password in the
client prior to
> submitting it will make it more secure. Anyone savvy
enough to suck
> your packets out of the proxy and make sense of them
would just look
> at the login page to find the key for the hash or
salt.
>
> One time passwords or a token-based solution like
securid or mypw are
> your best solution IMO.
>
> -Scott
------------------------------------------------------------
-------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online
despite security executives' efforts to prevent malicious
attacks. This
whitepaper identifies the most common methods of attacks
that we have seen,
and outlines a guideline for developing secure web
applications.
Download today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------
|