Nic Ferrier wrote:
>
> > I want to ask about password ssecurity. I know when sending plain
> > text passwords over the net is a bad thing and it should be encrytped
> > first, but if i have an object that has the password stored in it thats
> > sent to the servlet is that safe enough to not be seen by a snooper?
>
> You mean send the password in an object over an ObjectOutputStream?
>
> No, that's not safe.
>
> Basically nothing is safe unless it is done over an HTTPS (HTTP over SSL)
Nic is right. However since you have java on the client side too, there
are
non-basic things you can do. The simplest is a chalenge-response type
thing.
Before the login, the server sends a random number.
When the user types her password, the client appends the random number
to the password,
runs the concatenated bytes through a one-way hash (md5 for example) and
sends the
64bit hash value to the server. The server takes it's stored copy of the
password appends the
random number, runs md5 and checks to see if the result it calculated is
the same as
the one the client sent. If the two values are the same, then the
chances are (millions to 1)
that the client typed the correct password.
The trick being that you can't reverse MD5, so snooping the random
number and the hash
value tells a cracker nothing about the password. (Actually, it does
provide them with a way
to check guessed passwords off-line so you need to impose a 'good
paasword checker' on
the users).
The only problem with this is that you need an initial secure way to get
the password
from the user when they sign up.
> connection.
>
> Nic Ferrier
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
