[Catalyst] Storing a password hash with DBIC
Matt S Trout
dbix-class at trout.me.uk
Thu Aug 10 21:31:46 CEST 2006
Brandon Black wrote:
> I'd agree that SSL is the best idea for solving a whole lot of issues,
> and anyone authenticating over the net should be using SSL. But SSL
> doesn't make all of the other issues magically go away. SSL is just yet
> another layer of security. Ideally, one should still be observing best
> practices for challenge/response and translucent pw storage, etc, even
> within an SSL environment. That method I linked (and others like it)
> are still useful under SSL, and are improved by SSL (because with signed
> certs it eliminates MITM attacks that the challenge/response is
> otherwise subjected to - assuming the javascript for the hashing and the
> login page itself are also sent via SSL).
Also remember that the longer an SSL session the more likely it is to be
crackable from the data stream.
More information about the Catalyst
mailing list