Question About Password Systems

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

Question About Password Systems

Post by Narphet on Fri Jul 02, 2010 9:49 am
([msg=41186]see Question About Password Systems[/msg])

Say a site has a log-in system on it. These are as far as I can tell the possible ways of implementing this:

1. Client sends password in cleartext, server compares it to stored passwords, which are also in cleartext.

2. Client sends password in cleartext, server hashes it and compares the hash to stored passwords, which are hashed.

3. Client hashes password before sending, server compares it to stored passwords, which are hashed.

And all of these are equally vulnerable. For the first two, you just intercept what the client sends, and there's your password. Just type it into the HTML form or whatever. The the third, again intercept what the client sends, just this time send it to the server directly so that the client-side pre-processing doesn't hash it a second time.

So what's the point of encrypting passwords?
Narphet
New User
New User
 
Posts: 30
Joined: Tue Jun 22, 2010 4:42 pm
Blog: View Blog (0)


Re: Question About Password Systems

Post by Goatboy on Fri Jul 02, 2010 10:41 am
([msg=41187]see Re: Question About Password Systems[/msg])

There's really no perfectly secure system, even in theory. I mean I suppose you could claim a system is 100% safe, as long as it doesn't do anything, but let's be practical here. If it can be used in a legit way, it can be broken.

That said, just about all that security does is to make it harder for an attacker. This is why you see security in layers. You have to remember that an attacker only needs to find one hole, while a defender needs to protect against them all.

It's like why we have seatbelts and airbags. Saying people can still die when using them both is not a good reason to get rid of them altogether.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2807
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Question About Password Systems

Post by Narphet on Fri Jul 02, 2010 10:55 am
([msg=41189]see Re: Question About Password Systems[/msg])

But this doesn't make it harder to break in at all. The most secure system presented up there is #3, which only means that the attacker has to change the HTTP requests sent by the browser, which is trivial. So what other security "layers" are in place to prevent that?
Narphet
New User
New User
 
Posts: 30
Joined: Tue Jun 22, 2010 4:42 pm
Blog: View Blog (0)


Re: Question About Password Systems

Post by insomaniacal on Fri Jul 02, 2010 11:08 am
([msg=41192]see Re: Question About Password Systems[/msg])

Well, you have to find a way to intercept what the client sends don't you? This isn't much of a problem if you're on the same network, but if you're not, it's already substantially more difficult.
It's not who votes that counts, it's who counts the votes
insomaniacal.blog.com
User avatar
insomaniacal
Addict
Addict
 
Posts: 1210
Joined: Sun May 24, 2009 10:21 am
Blog: View Blog (0)


Re: Question About Password Systems

Post by msbachman on Fri Jul 02, 2010 12:36 pm
([msg=41200]see Re: Question About Password Systems[/msg])

Narphet wrote:So what's the point of encrypting passwords?


If you really need something to be secure from prying eyes, you'll need to do something like TLS that encrypts everything. It's not then a mere matter of monitoring traffic, because each side negotiates a key for the other to encrypt traffic with, and only the destination (without some strange exploit) would be able to decrypt it.

So doing that, there's no hash or plaintext password visible at all to an attacker.

Otherwise, encrypting passwords can have the effect of not being as easily grepped for in network traffic. I think that altering traffic from containing any sort of key/value pair of the password/value would be a good idea just so anyone listening wouldn't immediately be tipped off to it were they to grep for 'password' on a dump of sniffed traffic. It's just basic obfuscation though and not real security.
"I'm going to get into your sister. I'm going to get my hands on your daughter."
~Gatito
User avatar
msbachman
Contributor
Contributor
 
Posts: 681
Joined: Mon Jan 12, 2009 10:22 pm
Location: In the sky lol
Blog: View Blog (0)



Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests