On Mon, May 4, 2009 at 7:08 AM, Florent Aide <[email protected]> wrote:
> > On Mon, May 4, 2009 at 1:58 PM, Christopher Arndt <[email protected]> > wrote: > > > > Paul Johnston schrieb: > >> So, this is a call to the authors of all web authentication libraries. > >> Add JavaScript MD5 as an authentication mechanism. And if support > >> becomes widespread, the internet becomes a little bit safer for > >> everyone. > > > > I'm surprised that no one has mentioned it yet, but obviously with such > > a scheme, you have to store the passwords in clear text on the server > > side, don't you? This is just not acceptable for some sites, so any > > authentication scheme that requires this, can only be ever an option. > > Chris is right about this point. I'm not that fond of storing clear > text password on the server... > This is one of the tricky parts. You could double-hash, but you have to have a consistent hashing strategy on the backend that you can replicate on the client. It would be ideal to use something like hmac, which I believe is hash-neutral, so you could use it with MD5 (though SHA1 is more common), and then hash it once again using some confirmed nonce to avoid a replay attack. If you already have a database that doesn't use MD5, or that uses multiple hash algorithms (which htpasswd supports, among others, and which you might want to do if you upgrade from MD5 to SHA1, but obviously you can't rehash the MD5 hashes you have) then it becomes more difficult, because you don't know what algorithm the client has to repeat. This cross-cutting complexity (from database all the way to the client) is I think the biggest reason this hasn't caught on. Also I believe it messes with some browser things like remembering passwords. I think LiveJournal uses client-side hashing, and it causes this problem. OpenID with a provider that uses SSL solves these problems and others. -- Ian Bicking | http://blog.ianbicking.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
