Archive of UserLand's first discussion group, started October 5, 1998.

Security of MTTF and BBS passwords

Author:Jon Stevens
Posted:2/10/1999; 7:35:48 PM
Topic:A new toy!
Msg #:2819 (In response to 2691)
Prev/Next:2817 / 2820

Dave,

Is there some reason why you are not encrypting the password that is set in the cookie for your various services like MTTF and the BBS (I'm assuming that you are re-using the same code here)?

An easy way to do this and provide at least a minimal amount of security would be to create an MD5 hash of the password and send that back in the cookie. When you need to validate the password, simply re-hash the value in the cookie with the value in your database. You can make that almost impossible to spoof by adding a "secretkeyword" string to the original string before you hash it that nobody knows.

Or even better, only put a random portion of the hash into the cookie. Keep the other half of it and the password yourself. Then, just simply recombine the pieces of the hash, create a hash of the password and compare the two.

This little step would make things much much much more secure for your users and would not take much time at all to implement.

thanks,

-jon

There are responses to this message:

This page was archived on 6/13/2001; 4:47:50 PM.

© Copyright 1998-2001 UserLand Software, Inc.