Sign in to follow this  
Gamer Gamester

[web] bcrypt vs challenge

Recommended Posts

Let's say I'm letting users log in over http (not https)...

I can use a challenge-response so that the passwords aren't sent as cleartext over the wire. However, this requires me to have the cleartext password stored on the server.

Or, I can hash the passwords on the server (probably with bcrypt), but this requires me to send the passwords as cleartext over the wire.

Which of these is preferable?

Share this post


Link to post
Share on other sites
You could still encrypt the password values in the database. Provided the key isn't stored in the database, this protects the passwords from SQL injection, the most common attack that results in mass password leaks. It obviously won't help if your application is compromised too.

Share this post


Link to post
Share on other sites
If your site loads over HTTP, not HTTPS, you have no guarantee (or rather the end-user has no guarantee), that some man-in-the-middle has not modified your Javascript code in the wire, and changed it to secretly send the password to their own server.

A HTTP-loaded site can't rely on its own Javascript code being delivered without malicious modifications.

Such modifications are easily achieved, for example, by the owners of a wifi access point who can route requests through a transparent proxy.

HTTPS does not JUST encrypt things. It also guards against the very real threat of man-in-the-middle attacks, and stops content being modified on the wire. There can be no real web security without this threat mitigated.

Just use HTTPS, anything else is worthless.

If you MUST use HTTP, you may as well use plaintext passwords (or encrypt them using rot13, for all the good it would do).

Share this post


Link to post
Share on other sites
Thanks for the advice. Yeah, all my research in the past day or so has led to the same conclusion: I'm switching to HTTPS. Really, all websites should....
I had been reluctant to do so as my site's security needs aren't that high (yet, at least), and I'd always felt Certificate Authorities were a bit of a racket.

My research confirmed that CAs are "[url="http://www.youtube.com/watch?v=Z7Wl2FW2TcA"]mostly worthless[/url]", but it seems we're stuck with them at the moment. I also learned that you can get free basic certificates authorized from [url="http://www.startssl.com/"]StartSSL[/url] (if your need is simply to stop the browser from freaking out innocents with scary warnings). Yes, StartSSL was hacked earlier this year, but I don't really have faith in any of the CAs, so might as well save on the cost (unless someone here knows better on the matter!).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this