ibneko: (Default)
[personal profile] ibneko
We'll generate a new challege string. This will be composed of:
- a random lifespan
- a random character
- and probably the mysql key for the row we're temporarily storing our randomness in.
We'll encode this in MD5 and send it to the client as the challenge.
Client encodes (password+challenge) with MD5 and sends this back to us.
We compare MD5(password+challenge) with what client replies with.
If they match, they're authenticated.

Did I get that right? I've been reading various articles and also looking at livejournal code. I'm pretty sure it's right, as... even if the MD5 hash gets intercepted by someone in the middle, they can't guess the password, since it'll be quite different each time: changing one letter in the string used to generate MD5 will result in a vastly different MD5 hash, if my memory isn't lying. And our challenge string will be different each time.

Date: 2006-07-11 07:13 am (UTC)
From: [identity profile] jaiwithani.livejournal.com
Everyone knows the best way to handle authentification is store the password as a string in the html and compare it to the user's input in a javascript popup :-P

Date: 2006-07-11 07:21 am (UTC)
From: [identity profile] ibneko.livejournal.com
Hehe. That's got so many holes, I just shudder thinking about it.

Oh, better idea, who needs passwords, anyways? We'll just ask for their login, and if their IP address doesn't match up with what they had when they first created their account, we'll just ask them to register.. again. :-P Or send them an e-mail with a "verification link".

Expand Cut Tags

No cut tags


ibneko: (Default)

Most Popular Tags

Style Credit

Page generated Sep. 24th, 2017 03:20 am
Powered by Dreamwidth Studios
November 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 2016