Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Passwords -- The down and dirty. (youfailatsecurity.org)
1 point by adamdecaf on Oct 16, 2010 | hide | past | favorite | 4 comments


Of course, dealing with passwords properly on the server is only one side of the story.

If the connection between client and server is not secure, then an attacker could intercept a user's password as it travels in plaintext from client to server. And if a user's login persists by the use of a cookie, an attacker could impersonate a logged-in user by using their cookie, after intercepting it as it is sent in plaintext in every request from client to server.


Correct, I felt that those were outside of the scope of the post though. However, as I think about it more they seem fit better and better.


This is my first security related article, thus I'm looking for suggestions and comments. Thanks


Why no mention of key strengthening?

http://en.wikipedia.org/wiki/Key_strengthening




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: