On Wed, 20 May 2009, Jonathan Yu wrote:
That's a pretty valid point. If it's a simple auth system as I
understand it, though, then the users don't have different
permissions, so there's really no point in cracking *all* of the
passwords if you can download all the data with one.
No arguments on that. :-) Virtual users versus real system users will
always be a weak link that can be attacked on web apps.
And Bill's right in that if someone already has your hashes they probably
already have access to the rest of it as well. This exercise is merely
about protecting what was used to generate the hashes. Everything else is a
separate issue.
--Arthur Corliss
Live Free or Die
