Hi, Great to see this discussion.
Sure, OpenID with SSL is a better solution. But for some reason, single sign-on on the web has never taken off. Realistically, most websites will still allow password logins for the foreseeable future, even if OpenID is an authentication option. So there is a need for this tactical solution. The difficulty with aligning the database hashing and client-side hashing... this is certainly a problem. It's easy for a new site, but an existing site with passwords that are already hashed - that is a problem. Surmountable in most situations, but not all. Bringing this back to TG specifics, how does repoze.who currently save passwords in the db? The risk of stored passwords equivalents is certainly a risk. It's generally considered a not-very-bad risk, as if someone has accessed your password hashes, they can probably do all the stuff a user can do when logged-in anyway. For this reason, both Windows and MySQL have the same vulnerability. Some scenarios (e.g. a lost backup tape) do look worse with this. I don't recommend it, but you can actually solve this, at the cost of an Ajax request per login. This is discussed in the advanced section on the site. Gustavo... you are absolutely right, using public-key encryption like RSA can give you a stronger system. And JavaScript RSA does exist (http://www.ohdave.com/rsa/). However, with secure key sizes it runs very slow in JS, so it's not practically usable. There is no way to get these benefits from symmetric encryption, e.g. AES. The is risk of brute force attacks exists, but rainbow tables are not a major threat - the salting really hampers them. The key point is a sniffer getting a hash that they could try to brute force is a definite improvement on them getting a plaintext password. Interesting point about interfering with the "save password" feature in browsers, that's new to me. I will look into it, suspect it can be solved with Ajax. Ok, that's it, happy hacking, Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
