The most common approaches I know of:
Unix-style password file: store salt || H(salt || password)
The 'salt' value is a random string used to make attacks that precompute
the hash values of common passwords harder. The downside is that the
client has to send the password in plaintext. The hash is often iterated
a few times to make brute force attacks more time consuming.
CHAP: (originally from PPP)
send a challenge string from server to client. The client sends back
H(challenge || password). Someone now has to brute-force the password if
the communication is intercepted. The downside is that the password is
stored in plaintext on the server.
There are methods that solve both problems (not storing the password on
the server, and not sending the password over the wire), but you enter a
major patent mine field if you try to use them.
If I had to choose I'd store the password as a salted hash. Break-ins
into servers are much more common than password intercepts (credit card
numbers are stolen from servers, not by intercepting traffic). You can
always add HTTPS if interception is an issue.
Ge'
On 01/10/2010 04:43 AM, D. Richard Hipp wrote:
On Jan 9, 2010, at 5:24 PM, D. Richard Hipp wrote:
OK. Beginning with http://www.fossil-scm.org/fossil/ci/cfe33dcf92
Fossil will store passwords on servers as either cleartext or as a
SHA1 hash of the password. ...
I have tagged this change "experimental" for now. I'm planning to
make some additional (incompatible) changes to make the password
handling more secure. You can experiment with this version, but you
should create backups to restore from after my upcoming incompatible
changes.....
d...@hwaci.com
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
--
Gé Weijers email: g...@weijers.org <mailto:g...@weijers.org>
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
