| View previous topic :: View next topic |
| Author |
Message |
Ikopar
Joined: 26 May 2006
Posts: 168
|
| If sending a username and password through email when someone forgets their info is such a bad idea, then why do so many sites do it, and what better way is there? |
| |
 |
|
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
Why is it a bad idea?
Yeah
So does it when the users enters his password on your site
(unless you use https :) |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| Yeah, for that i'm hoping to use some kind of encryption |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
| Do you think it's necessary for your site to have that kind of security? |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| Probably not, but people i've talked to have kind of made me paranoid |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
Haha :)
You can send out pgp encrypted mail ;) |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| Oh man, i don't know if my hosting thing supports that, i've never even heard of it |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
| Btw you dont have to send the password in the mail |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| What else would i do, create a link with a random key in it that gives them the password on my site? |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
Yeah something like that
Theoretically they can sniff out that link ofcourse |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| Yeah, that would be a little harder to crack, but someone could...yeah, exactly |
| |
|
|
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
| Would they really go to such lengths to hack some account to your site |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
No, probably not
Submitting the password when logging in is probably a more pressing matter, no?
So that should be the first security measure i should take |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
| Your host probably supports https |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| Is that the same as SSL? i think they wanted me to pay an extra 150 a year or something ridiculous like that |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
Oh :)
It's http with ssl encryption
Maybe they ask that much because they have validated ssl certificates or something
Validated = signed |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
Bah, i figure i could probably do the same thing myself right? with some javascript perhaps
Encode the password client side |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
That wont really help
They could still sniff the hash and send that directly to your server |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
Damn it
Wait, what if there's a random key stored in a javascript variable
That dictates how it's encoded
And...oh, but it'd have to send the key too |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
| Yeah :) |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
No, the key could match on the server, it could be stored both places
It has to be send originally though, bah
Security is hard
Roombor: can i limit access to a page so that only other pages on my domain can access them? because that way they couldn't send the hash directly to the page, it's a JSP in this case |
| |
|
|
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
maybe the random key thing will work
If you store the pass md5 encrypted server side + some random generated key
On the client side encrypt it once with the normal key, and encrypt the hash with the random key
Send it back to the server, on the server encrypt the hash with the random key, compare and generate a new random key
If they sniffed the hash it will be useless since the random key has changed |
| |
|
|
Ikopar
Joined: 26 May 2006
Posts: 168
|
| thanks, you've given me some good ideas |
| |
|
|
Roombor
Joined: 02 Jun 2006
Posts: 111
|
| ;) |
| |
|
|
|
FAQ
Archive
Log in
Register
