CGI question: safe passwords possible?
Peter Hansen
peter at engcorp.com
Mon Jun 2 09:10:26 EDT 2003
Paul Rubin wrote:
>
> Don't do it that way, since the hashed value sent to the server is
> re-useable. Try something more like:
>
> <form action="whatever" onSubmit="dohash(this)">
> <input type="password" name="password">
> <input type="hidden" name="password_enc">
> <script>
> function dohash(form) {
> # Set "iv" to some random server-generated junk that's different every time
> iv = "un43iuhiuanasdcainini3nr3r"
>
> form.elements.password_enc.value =
> md5hash(iv + md5hash(iv + form.elements.password.value));
> form.elements.password.value = "";
> }
Doesn't this implementation also suffer from requiring the server
side to store the password somewhere effectively in the clear?
An extra pre-hash step on the password above, prior to the hashing with
the random number, is probably a good idea. That way the server will
be able to pre-hash the passwords as well prior to storage, and they
are not available even to administrators.
(Paul, I don't understand why you did a double hash above, since it
doesn't seem to add any extra value over a single one, in this case.)
Also note: you won't be able to have your users change their passwords
securely with any such approach. For that, I believe SSL is going to
be the only secure option, to avoid ever sending a password to the server
in the clear. (Or generate passwords on the server side and email to the
user, though that has obvious other problems...)
-Peter
More information about the Python-list
mailing list