Jump to content

  • Log In with Google      Sign In   
  • Create Account

[web] bcrypt vs challenge


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
4 replies to this topic

#1 Gamer Gamester   Members   -  Reputation: 136

Like
0Likes
Like

Posted 18 October 2011 - 01:38 PM

Let's say I'm letting users log in over http (not https)...

I can use a challenge-response so that the passwords aren't sent as cleartext over the wire. However, this requires me to have the cleartext password stored on the server.

Or, I can hash the passwords on the server (probably with bcrypt), but this requires me to send the passwords as cleartext over the wire.

Which of these is preferable?

Sponsor:

#2 Bregma   Crossbones+   -  Reputation: 5133

Like
0Likes
Like

Posted 18 October 2011 - 01:59 PM

Cleartext passwords over the wire are as safe as no password at all.
Stephen M. Webb
Professional Free Software Developer

#3 rip-off   Moderators   -  Reputation: 8210

Like
0Likes
Like

Posted 18 October 2011 - 03:44 PM

You could still encrypt the password values in the database. Provided the key isn't stored in the database, this protects the passwords from SQL injection, the most common attack that results in mass password leaks. It obviously won't help if your application is compromised too.

#4 markr   Crossbones+   -  Reputation: 1653

Like
2Likes
Like

Posted 19 October 2011 - 02:44 PM

If your site loads over HTTP, not HTTPS, you have no guarantee (or rather the end-user has no guarantee), that some man-in-the-middle has not modified your Javascript code in the wire, and changed it to secretly send the password to their own server.

A HTTP-loaded site can't rely on its own Javascript code being delivered without malicious modifications.

Such modifications are easily achieved, for example, by the owners of a wifi access point who can route requests through a transparent proxy.

HTTPS does not JUST encrypt things. It also guards against the very real threat of man-in-the-middle attacks, and stops content being modified on the wire. There can be no real web security without this threat mitigated.

Just use HTTPS, anything else is worthless.

If you MUST use HTTP, you may as well use plaintext passwords (or encrypt them using rot13, for all the good it would do).

#5 Gamer Gamester   Members   -  Reputation: 136

Like
0Likes
Like

Posted 19 October 2011 - 04:59 PM

Thanks for the advice. Yeah, all my research in the past day or so has led to the same conclusion: I'm switching to HTTPS. Really, all websites should....
I had been reluctant to do so as my site's security needs aren't that high (yet, at least), and I'd always felt Certificate Authorities were a bit of a racket.

My research confirmed that CAs are "mostly worthless", but it seems we're stuck with them at the moment. I also learned that you can get free basic certificates authorized from StartSSL (if your need is simply to stop the browser from freaking out innocents with scary warnings). Yes, StartSSL was hacked earlier this year, but I don't really have faith in any of the CAs, so might as well save on the cost (unless someone here knows better on the matter!).




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS