--- hbaxmann <[EMAIL PROTECTED]> wrote: > > > > > is not particularly secure and I would > prefer to have a > > > more robust > > > > > solution (say with encrypted passwords ;-) ) > but it > > works for now. > > > > > > > > > > > > > <sarcasm> > > > > Why not via SRP ? > > > > </sarcasm> > > > > > > > > sorry, could not resist > > > > > > Interesting, how would this fit into Geronimo to > provide the > > > general JAAS login mechanisms to obtain > subjects? > > > > > > > You are asking seriously? > > > > http://srp.stanford.edu/ > > > > Then in all aspects. There are many LoginMudules > avail with SRP. > > > > But, unfortunately it is useless. Strong words there. Bite your tongue.
> Because secure passwords > > does simply not > > exist: > > > > > http://fiatlux.zeitform.info/en/instructions/passwords.html > > > > Theoretically and in a academic point of view, and > only > > there: it provides > > security to a secure token (the password) on the > wire - but > > nowhere else. Wrong, it hashes the password on the server side, but granted given failed physical security a dictionary attack could potentially get at it. But this is true for any authentication mechanism I know of. > > Nobody, nobody will try to exploit your delivery > of PASSWORDS > > on the wire. Just from personal experience, I can tell you that what you say is false. You are assuming things outside of your domain of knowledge, and then trying to convince others of your viewpoint. Stop it. You are causing harm. If a potential hacker has access to your network, or is an employee or something, running a packet sniffer can be trivial. If a tool is available to crack passwords using certain protocols it becomes even more trivial, to hack your box. Allowing security, such as challenge and response or something similar, just because passwords are inherently weak anyways is a very bad idea. Either seal up any holes you can, or just send out invites to hack your new weakly authenticated server. Also, although SRP is not a 3-party authentication system, it can still be centrally managed and distributed, with a little bit of common sense. And it does not suffer from the weaknesses (talking line level again here) of the 3 party kerberos. Furthermore, using SRP doesn't just authenticate the user it: * ensures you are connecting to the intended party (authentication cannot succeed if trying to authenticate against the wrong machine) * prevents man-in-the-middle attacks * prevents offline dictionary attacks * provides a shared secret as a byproduct of successful authentication which can be used to symmetrically encrypt further communications. > > You need five points to do not make the > non-existing security > > of passwords > > not more worth: > > > > Don't tell anyone your password. > > Don't write your password down anywhere. > > When you decide on a password, make sure it can't > be guessed. > > If you think there's even a chance someone else > might know > > your password, > > change it. > > Make sure no one is standing near you when you > enter your password > > In the point of real security: passwords do not > have a > > security aspect. Every little bit helps, good tips but having secure transmission of passwords is a very good idea too. Your points are just policy. > > > > These points depends all on exclusively on human > interaction. > > The algorithm > > has zero chance. Why don't you try investigating SRP a little better. Sure you can still do a dictionary attack over the network, but it is orders of magnitudes slower, and there are methods of throttling auth attempts so that it could be pretty much pointless to try. > > > > So the SRP implementations are a marcetecture > thingy, more > > worse because > > they are a feint of security. Given proper selection of user names and passwords, SRP would be very nice to use, indeed. Its just another component of a properly secured system. Oh yeah, and jBoss apparently thinks SRP is a good idea too, as they have a SRPLoginModule. I just don't quite understand your reasoning behind discouraging this. Also, you can't exactly use your articles as a point of reference as they just talk about policy also. Edward Flick __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
