Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

if your challenge of the day is only changed once per day, once an attacker has sniffed the username and hash, those are all they need to get in for the rest of the day. you can improve it somewhat by including the client's IP address in the hash, but this will cause problems if they're behind a proxy, etc. and it still isn't 100% solid because IP addresses can be spoofed.

the only truly secure way to authenticate over an insecure channel without using encryption is with a zero knowledge proof, but implementing a ZKP is a complex undertaking since it is necessarily interactive and would require sophisticated client-side action. the chances of screwing something up in the implementation and wrecking the security are probably high enough that it's not worth even considering.

if i were you and i were really concerned about security, i would run everything over https and use basic HTTP authentication. it's simple and about as secure and reliable as you're going to get.

also, it sounds like you're storing passwords on the server in some unencrypted form. this is almost always a bad idea.

there's no such thing as perfect security. the best you can do is to make it hard enough to crack that the expense of cracking it would be more than any possible reward that the attacker would get.


In reply to Re: Re: Re: Securing Web Apps. by thraxil
in thread Securing Web Apps. by jdtoronto

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (4)
As of 2021-12-09 14:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    R or B?



    Results (36 votes). Check out past polls.

    Notices?