Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine

Re: Re: Re: Re: CGI and saving passwords

by flyingmoose (Priest)
on May 04, 2004 at 22:50 UTC ( #350623=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Re: CGI and saving passwords
in thread CGI and saving passwords

You're right, it is fairly academic ... md5 does have some known (but minor) collision problems, though.

At this point (or level of questioning), one also might want to understand 'plaintext equivalence', just to not get in the rut of 'it's not a password but it's as GOOD as a password'. Sending md5 hashes over plaintext http is a plaintext equivalence problem. Session ID's are best. I know of a certain app that doesn't send passwords, but you can sniff the transmissions, copy the packets, and use them in a "replay attack" -- because what is sent, though not the password, is just as good as a password.

Also see "challenge-response" type behavior (we're getting into overkill if you aren't dealing with shell accounts at this point) and maybe if you are really excited about this, read "Applied Cryptography" by Bruce S. I really don't claim to understand half of it, but it's a good skim during boring work telecoms -- and math is fun.

Really, most people don't need to worry about all of these vulnerabilities or potential vulnerabilities, but it is important to know when you do need to know, which unfortunately most people don't know when they need to know :)

  • Comment on Re: Re: Re: Re: CGI and saving passwords

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://350623]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (6)
As of 2023-02-01 14:44 GMT
Find Nodes?
    Voting Booth?
    I prefer not to run the latest version of Perl because:

    Results (9 votes). Check out past polls.