Archive of UserLand's first discussion group, started October 5, 1998.
Re: Security of MTTF and BBS passwords
Author: Eric Soroos Posted: 2/11/1999; 3:30:58 PM Topic: A new toy! Msg #: 2851 (In response to 2820) Prev/Next: 2842 / 2852
How about something that tied the password to a specific IP?
Add together ipaddress+user+password(+possibly some server side secret) and hash that. If you add in the ip address, it can't be replayed from some other computer. If there is a time of original cookie creation, then the same computer can have different passwords at different times. (such as a shared computer, where the user logs off for a while and someone else can't come in and try a replay attack.)
Basically what needs to happen for this sort of password setup to be secure is
1) a good hash.
2) anti replay devices i.e. make it a one time token or a location specific token
3) easily calculated if you know the correct information and procedure. (i.e. not too much server load)
As a point of reference, APOP for pop3 mail retrieval uses something similar to this. In the banner of the server, there is a string that contains the current time, server name, or some other one time unique ID in <>'s. The pop client then sends authentication back in the form of apop username md5(uniqueID+password). The server can calculate the md5 of the id+correct password and compare it to the one that is passed in by the client.
This method is obviously a little different than what you'd want for a http based method, since this exact method would requre logging in at every hit. But something similar would improve the security of cookie based passwords.
This page was archived on 6/13/2001; 4:47:51 PM.
© Copyright 1998-2001 UserLand Software, Inc.