> Where do you do the md5 hash: client side or server side? > Do you hash JUST the > password, or other identifying information as well?
Server side. > then you're transmitting the actual password in > plaintext, and I don't see > where the hash helps. We rely on SSL for this security. :) As you noticed, if someone can intercept the connection (whether Md5 or not), they are going to have the necessary information to supply to our server for any basic password authentication (that doesn't involve a second channel of auth). > I suppose it protects against someone who breaks in to > the server and snaggles > your whole database, but I wonder if that's really the > most likely attack > scenario. This is largely what we're trying to avoid. (Again, relying on SSL for transmission security.) If the database is compromised (maybe at least as likely from an internal employee at the datacenter as an outside hacker), and especially as silly users tend to use the same password across sites, we're greatly diminishing our responsibility. Along these sames lines, this is why we don't send user's passwords via email if they've forgotten. I like the idea someone else reminded me about, namely sending a temporary random SSL URL that expires in a time WE decide, as opposed to a temporary password that waits for the user to login with it. Along with this, asking the user to verify other information on this page (enter first/last name, address, something) that is not included in the email, and I'd feel that we were doing a better job of limiting the risk of intercepted emails. Luke ===== ------------------ Reference Counting Garbage Collection: Look out philosophy majors, things really DO cease to exist when no one is looking at them! ------------------ __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
