Jens Hartwig wrote:
>
> > [...]
> > Isn't this just as bad? If you store the encrypted password, that doesn't
> > help you in the slightest in this case, because if you can breach the list
> > of encrypted passwords, you still know what you need to send as the
> > "password" from the front end to let you into the database.
> > [...]
>
> If you encrypt the input from the frontend as well and compare the
> encrypted strings it will not help you to look into the list of
> encrypted passwords ... or am I wrong?
Slightly wrong -- you need to fetch the salt from the database first.
But even so, if you then transmit this ENCRYPTED password, it can be
sniffed, and the results of that sniff are all that are needed to
access the system.
--
Karl DeBisschop kdebisschop@alert.infoplease.com
Learning Network/Information Please http://www.infoplease.com
Netsaint Plugin Developer kdebisschop@users.sourceforge.net