Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^2: RFC / Audit: Mojo Login Example

by haukex (Bishop)
on Mar 23, 2020 at 07:35 UTC ( #11114562=note: print w/replies, xml ) Need Help??


in reply to Re: RFC / Audit: Mojo Login Example
in thread RFC / Audit: Mojo Login Example

Thank you for the thoughtful reply!

You don't want to expose the salt to the client - but without salt hashing doesn't give better security.

Yes, I should have been more clear on this - I would take a hash of only the password on the client side, say SHA-512 multiple times, and additionally do the same hashing+salt on the server. That way, the cleartext password is never seen by the server, and provided the hash isn't in a rainbow table somewhere, it adds a tiny bit more security.

All of your points are excellent, and yes, I see that perhaps a per-IP delay or lockout on too many attempts might even be better than the current implementation (in Mojo: $c->tx->remote_address). Even though I agree logging is very important, did leave it out of this example... but luckily Mojo makes it fairly easy to add: app->log->warn("..."), app->log->error("...") and so on, and it can be redirected into a database as well via the event mechanism built into Mojo::Log.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11114562]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2021-12-02 21:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    R or B?



    Results (25 votes). Check out past polls.

    Notices?