[366] in WWW Security List Archive
Re: SimpleMD5 quibbles
daemon@ATHENA.MIT.EDU (Dave Kristol)
Wed Feb 1 21:52:45 1995
Date: Wed, 1 Feb 95 17:31:47 EST
From: dmk@allegra.att.com (Dave Kristol)
To: john@math.nwu.edu
Cc: www-security@ns2.rutgers.edu, http-wg@cuckoo.hpl.hp.com,
eric@allegra.att.com, jeff@spyglass.com
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I suggested having an encoded (encrypted) password in the server-side
password file.
John Franks said:
> This is a good idea, but it is important to understand that it doesn't
> really protect you the way you might think. It is still necessary to
> protect the password file from being read by any untrusted user. If
> an untrusted user gets the encoded password f(passwd) he can create
> MD5(nonce f(passwd)) and access everything the user with passwd is
> entitled to. The reason it is a good idea is that people foolishly
> tend to use the same password on many systems so the sysadmin on the
> SimpleMD5 system might read the password and guess that the user has
> that password on a different system.
I certainly agree, and I don't want to imply that I believe this is
bullet-proof security. The point, though, is that if I grabbed a
password from the server-side file, I could masquerade as a user by
simply entering that user's password to my favorite browser. If the
password is encoded, I have to go to some more trouble to spoof the
user, because I can't simply supply the encoded value to the browser.
Dave Kristol
