Talk About Network

Google


Register and Login
Nick
Password
Register create new account Sign up is FREE and you can post replies, new topics, bookmark posts and more!
Recover lost password


Programming > Html Tags > Re: New Input t...
Latest [ Topics | Posts ] Archive Post A New Topic Post a Reply
<< Topic < Post Post 30 of 40 Topic 438 of 447
 Post > Topic >>

Re: New Input type proposal

by Ben C <spamspam@[EMAIL PROTECTED] > Jan 10, 2008 at 09:41 AM

On 2008-01-10, Alexander Mueller <noemail@[EMAIL PROTECTED]
> wrote:
> Ben C wrote:
>> 
>> All you're protecting is the identities of people's pets. There is
>> however some value in this as some users may use the same password for
>> lots of websites.
>
> Well, I wouldnt really call a password a pet,

I was referring to the common practice of using one pet's name as a
password.
 
> but thats the point, the password itself should never have to leave
> the client in its plain text.

Some point in that yes, but really users shouldn't use the same password
for different sites, or at least, should use one password for
low-security unim****tant sites and a different one for bank accounts.

>> Can he? I thought root could change anyone's password to something else
>> and log in to their account, but he can't see their actual password.
The
>> actual password is not stored anywhere, so no-one can reveal it.
>
> Out-of-the-box usually not, however it is not too difficult to implement

> a code-injection into the particular libraries to get the password.

Well there are all sorts of ways to get the password. The easiest is
usually just to read it from the post-it note stuck to the computer.

In principle, assuming no malfeasance, the administrator cannot reveal
the password.

>> Well you make each special number one-time use only. You use it once
and
>> then get given another one, which you can also use only once.
>> Fortunately there are plenty of numbers.
>> 
>> If the number is not use-once then munging it with the password doesn't
>> help. The replay-attacker just needs to capture the munged
>> password+number.
>
> Yes, but an attacker would get his very own special number as well, so 
> if the values arent "munged", he would only need to supply his number 
> along with the password and there you go.

How does munging alter that situation? If he can replay the first access
(by getting hold of the hash used) then won't he just get his very own
replaysalt in just the same way?

Can you describe an example, step-by-step, of a session in which the
replaysalt provides some benefit that one-time session numbers don't?




 40 Posts in Topic:
New Input type proposal
 Alexander Mueller <noe  2008-01-09 18:23:48 
Re: New Input type proposal
 "J.O. Aho" <  2008-01-09 18:44:26 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 18:52:44 
Re: New Input type proposal
 "J.O. Aho" <  2008-01-09 19:27:54 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 19:31:43 
Re: New Input type proposal
 Jeff <jeff@[EMAIL PROT  2008-01-09 13:41:30 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 19:52:30 
Re: New Input type proposal
 Harlan Messinger <hmes  2008-01-09 14:08:14 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 20:18:07 
Re: New Input type proposal
 Harlan Messinger <hmes  2008-01-09 15:15:44 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 22:12:49 
Re: New Input type proposal
 Harlan Messinger <hmes  2008-01-09 16:36:58 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 22:43:37 
Re: New Input type proposal
 Harlan Messinger <hmes  2008-01-10 18:05:34 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-11 00:35:42 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-11 01:52:14 
Re: New Input type proposal
 Harlan Messinger <hmes  2008-01-10 23:00:47 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-11 13:05:25 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 18:58:22 
Re: New Input type proposal
 Harlan Messinger <hmes  2008-01-09 14:02:20 
Re: New Input type proposal
 richard <I.dont.care@[  2008-01-09 12:57:33 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 19:00:20 
Re: New Input type proposal
 Disco Octopus <disco@[  2008-01-09 12:52:55 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 22:38:43 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-09 22:22:57 
Re: New Input type proposal
 Ben C <spamspam@[EMAIL  2008-01-09 16:33:57 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-10 01:03:10 
Re: New Input type proposal
 Ben C <spamspam@[EMAIL  2008-01-10 04:02:03 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-10 12:10:00 
Re: New Input type proposal
 Ben C <spamspam@[EMAIL  2008-01-10 09:41:04 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-10 17:13:00 
Re: New Input type proposal
 Ben C <spamspam@[EMAIL  2008-01-10 16:07:54 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-10 23:31:45 
Re: New Input type proposal
 Ben C <spamspam@[EMAIL  2008-01-11 02:34:32 
Re: New Input type proposal
 Disco Octopus <disco@[  2008-01-10 14:41:46 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-11 00:23:09 
Re: New Input type proposal
 Andy Dingley <dingbat@  2008-01-11 03:33:40 
Re: New Input type proposal
 Alexander Mueller <noe  2008-01-23 15:03:06 
Re: New Input type proposal
 Neredbojias <monstersq  2008-01-23 16:34:11 
Re: New Input type proposal
 Travis Newbury <Travis  2008-01-23 08:36:04 

Post A Reply:
  Go here to Signup

AddThis Feed Button


About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
Contact
tan12V112 Mon Oct 6 14:36:46 CDT 2008.