CGI question: safe passwords possible?
Ian Bicking
ianb at colorstudy.com
Fri May 30 21:18:54 EDT 2003
On Fri, 2003-05-30 at 19:55, Gerhard Häring wrote:
> > You can find free code for doing MD5 or SHA hashing in JavaScript, and
> > then use code kind of like:
> >
> ><form action="whatever" onSubmit="dohash(this)">
> >[...]
>
> Riiiight. So how exactly does this help against a man-in-the-middle
> attack?
Adding the proper salt to protect against this (I would suggest
timestamp + IP address) is another exercise left to the reader.
Using client-side scripting isn't the worst thing in the world. It has
the potential to be quite secure.
If you're worried about man-in-the-middle, then nothing short of SSL
(with properly signed certificates) will work. But really,
man-in-the-middle is more a talking point than a real threat. People
use those arguments to raise the bar on security, but that sort of
criticism is seldom useful or constructive. The likelihood of a
man-in-the-middle attack is far, far less than the likelihood of having
your connection sniffed -- solving the sniffing problem is a real
improvement in security.
Ian
More information about the Python-list
mailing list