Archive of UserLand's first discussion group, started October 5, 1998.

Re: Security of MTTF and BBS passwords

Author:Eric Soroos
Posted:2/11/1999; 3:30:58 PM
Topic:A new toy!
Msg #:2851 (In response to 2820)
Prev/Next:2842 / 2852

How about something that tied the password to a specific IP?

Add together ipaddress+user+password(+possibly some server side secret) and hash that. If you add in the ip address, it can't be replayed from some other computer. If there is a time of original cookie creation, then the same computer can have different passwords at different times. (such as a shared computer, where the user logs off for a while and someone else can't come in and try a replay attack.)

Basically what needs to happen for this sort of password setup to be secure is

1) a good hash.

2) anti replay devices i.e. make it a one time token or a location specific token

3) easily calculated if you know the correct information and procedure. (i.e. not too much server load)

As a point of reference, APOP for pop3 mail retrieval uses something similar to this. In the banner of the server, there is a string that contains the current time, server name, or some other one time unique ID in <>'s. The pop client then sends authentication back in the form of apop username md5(uniqueID+password). The server can calculate the md5 of the id+correct password and compare it to the one that is passed in by the client.

This method is obviously a little different than what you'd want for a http based method, since this exact method would requre logging in at every hit. But something similar would improve the security of cookie based passwords.

eric






This page was archived on 6/13/2001; 4:47:51 PM.

© Copyright 1998-2001 UserLand Software, Inc.