| Off Topic > Drama |
| RBL - Ephialtes |
| << < (12/18) > >> |
| DontCare4Free:
--- Quote from: cucumberdude on March 11, 2011, 04:28:55 PM ---Clientside encryption could be, but clientside encryption is pointless (assuming I'm not running some hurrdurr password collecting scam) because anybody who intercepted the password between the client and server would as good as have the password. --- End quote --- No, anyone intercepting it could NOT as good have the password since they can't reverse the hashing which means that they can't use it to use the account on other sites (assuming same pass, etc). --- Quote from: cucumberdude on March 11, 2011, 04:28:55 PM ---Interesting, I didn't know that. Subtle difference. I have used AES in previous projects, so I'm used to saying 'encrypted'. --- End quote --- Using AES for passwords would be entirely useless. --- Quote from: cucumberdude on March 11, 2011, 04:28:55 PM ---So, using the password as a seed? I'm not really sure what the advantage would be, if the user wanted password recovery it would still be impossible. --- End quote --- I assume that you mean "recovering the old password". No, that would be impossible which is one of the points about it. However, what you usually do when you use a password recovery feature is that the site sends a new password to your e-mail. That would not be impossible since the encrypted data is already known. What is not known is the encryption KEY. The thing is that you retrieve the encrypted data and the decrypted data from the database. Then you try decrypting it with the password as key and then if it succeeds you compare the decrypted data with the data from the database. If those succeeds, log me in, otherwise, refuse. --- Quote from: cucumberdude on March 11, 2011, 04:28:55 PM ---Vaguely. Is it that global internet ID thing? I didn't think it was really all that widely used. --- End quote --- Actually some big sites allow both using "their" account system and OpenID. Drupal (which I personally like quite much) ships with an OpenID module by default (although disabled), I'm not sure about how it handles passwords though. Some big sites (for example StackExchange (StackOverflow, etc) and SuseStudio) only allows login via OpenID. Also, for example Google and Yahoo acts as OpenID providers which means that any site allowing OpenID-logins can be logged into with your Google/Yahoo account. |
| Iban:
These big ol' fancy arguments are fine and dandy, but what ya'll is forgetting is that this service is a) completely loving pointless, and b) should not require registrations in the first place. |
| DontCare4Free:
--- Quote from: Iban on March 11, 2011, 04:53:05 PM ---These big ol' fancy arguments are fine and dandy, but what ya'll is forgetting is that this service is a) completely loving pointless, and b) should not require registrations in the first place. --- End quote --- I agree about it being pointless, however I do see a point in having some kind of auth. However (in my eyes) that auth could very well be provided via OpenID or anything. |
| TheFutureOfDark:
|
| Iban:
--- Quote from: DontCare4Free on March 11, 2011, 05:07:32 PM ---I agree about it being pointless, however I do see a point in having some kind of auth. However (in my eyes) that auth could very well be provided via OpenID or anything. --- End quote --- OpenID is fine. The problem here is that the dude was storing a massive amount of passwords provided by members of Blockland in plain text, associated with their name and email. This isn't OK. |
| Navigation |
| Message Index |
| Next page |
| Previous page |