W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: SimpleMD5 quibbles

From: Dave Kristol <dmk@allegra.att.com>
Date: Wed, 1 Feb 95 17:31:47 EST
Message-Id: <9502012247.AA14551@hplb.hpl.hp.com>
To: john@math.nwu.edu
Cc: www-security@ns2.rutgers.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, eric@allegra.att.com, jeff@spyglass.com
I suggested having an encoded (encrypted) password in the server-side
password file.

John Franks said:
  > This is a good idea, but it is important to understand that it doesn't
  > really protect you the way you might think.  It is still necessary to
  > protect the password file from being read by any untrusted user.  If
  > an untrusted user gets the encoded password f(passwd) he can create
  > MD5(nonce f(passwd)) and access everything the user with passwd is
  > entitled to.  The reason it is a good idea is that people foolishly
  > tend to use the same password on many systems so the sysadmin on the
  > SimpleMD5 system might read the password and guess that the user has
  > that password on a different system.

I certainly agree, and I don't want to imply that I believe this is
bullet-proof security.  The point, though, is that if I grabbed a
password from the server-side file, I could masquerade as a user by
simply entering that user's password to my favorite browser.  If the
password is encoded, I have to go to some more trouble to spoof the
user, because I can't simply supply the encoded value to the browser.

Dave Kristol
Received on Wednesday, 1 February 1995 14:52:51 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:13 EDT