Re: Authentication in webapp.
- From: Arne Vajhøj <arne@xxxxxxxxxx>
- Date: Wed, 09 Jul 2008 20:11:11 -0400
John B. Matthews wrote:
In article <7m0774l312ludch0q1v1q3o6sovl4n1dt2@xxxxxxx>,
David Segall <david@xxxxxxxxxxxxxxx> wrote:
The user logs in with a user name and password and the password is put
through an MD5 hash then encoded into base64. The resulting string is
compared against the string stored in the database when the user first
registered. The actual password is not stored in the database and is
only in the computer's memory while it is being entered and encoded.
The MD5 hash is included in java.security and the base64 encoding is
from Mikael Grev's MiGBase64
<http://sourceforge.net/projects/migbase64>.
Presuming the name and password arrive unmolested, one goal is to prevent unauthorized use of the passwords by someone who can obtain a copy of the data. Using MD5 alone in this context has known limitations:
<http://en.wikipedia.org/wiki/MD5>
You can mitigate this effect somewhat by using a suitably chosen salt:
<http://en.wikipedia.org/wiki/Salt_%28cryptography%29>
I'm not aware of any security benefit to base64 encoding.
A different salt for each user + SHA256 hashing should be pretty good.
Arne
.
- Follow-Ups:
- Re: Authentication in webapp.
- From: John B. Matthews
- Re: Authentication in webapp.
- References:
- Authentication in webapp.
- From: Daniel Pitts
- Re: Authentication in webapp.
- From: David Segall
- Re: Authentication in webapp.
- From: John B. Matthews
- Authentication in webapp.
- Prev by Date: Re: JNI - Passing and returning complex values
- Next by Date: Re: Are Strings automatically null terminated?
- Previous by thread: Re: Authentication in webapp.
- Next by thread: Re: Authentication in webapp.
- Index(es):
Relevant Pages
|
