Archive of UserLand's first discussion group, started October 5, 1998.

Re: Security of MTTF and BBS passwords

Author:Eric Soroos
Posted:2/11/1999; 3:30:58 PM
Topic:A new toy!
Msg #:2851 (In response to 2820)
Prev/Next:2842 / 2852

How about something that tied the password to a specific IP?

Add together ipaddress+user+password(+possibly some server side secret) and hash that. If you add in the ip address, it can't be replayed from some other computer. If there is a time of original cookie creation, then the same computer can have different passwords at different times. (such as a shared computer, where the user logs off for a while and someone else can't come in and try a replay attack.)

Basically what needs to happen for this sort of password setup to be secure is

1) a good hash.

2) anti replay devices i.e. make it a one time token or a location specific token

3) easily calculated if you know the correct information and procedure. (i.e. not too much server load)

As a point of reference, APOP for pop3 mail retrieval uses something similar to this. In the banner of the server, there is a string that contains the current time, server name, or some other one time unique ID in <>'s. The pop client then sends authentication back in the form of apop username md5(uniqueID+password). The server can calculate the md5 of the id+correct password and compare it to the one that is passed in by the client.

This method is obviously a little different than what you'd want for a http based method, since this exact method would requre logging in at every hit. But something similar would improve the security of cookie based passwords.


This page was archived on 6/13/2001; 4:47:51 PM.

© Copyright 1998-2001 UserLand Software, Inc.