Challenge/Response Login: Register / Change Pass Security?
Posted: Thu Mar 30, 2006 12:00 pm
So I just read Maugrim's Challenge / Response login tutorial (I had read it before, but not for the purpose of using the system), and the idea sounds good. However, a system is only as secure as its weakest link.
Say I put the challenge / response system in place on my login page. Hackers give up trying to sniff the passwords of people logging in. Instead, they just move to sniffing the passwords of people registering or changing their password. Yes, I could use the sha256 js function to hash the passwords before sending them across the network (instead of having PHP hash them), but it would lack the challenge system, since we need to know the hashed value of the password so we can store it in the db.
Then the password is going across the network as a hash, which isn't all that great. The hackers can sniff the hash and login with that: load up a login page, grab the challenge code generated, and use their own version of the login form to send the correct response. Now they're logged in, and could even change the password of the account they just hacked if they wanted to.
My question is this: if traffic sniffers can get around the Challenge / Response login by sniffing the password of people registering or changing their password, then why bother putting in a Challenge / Response login system?
Also, is there something I should be doing with the passwords on the register / change password page besides just hashing them? If so, then I could see the benefit of a Challenge / Response login.
- Nathaniel
Say I put the challenge / response system in place on my login page. Hackers give up trying to sniff the passwords of people logging in. Instead, they just move to sniffing the passwords of people registering or changing their password. Yes, I could use the sha256 js function to hash the passwords before sending them across the network (instead of having PHP hash them), but it would lack the challenge system, since we need to know the hashed value of the password so we can store it in the db.
Then the password is going across the network as a hash, which isn't all that great. The hackers can sniff the hash and login with that: load up a login page, grab the challenge code generated, and use their own version of the login form to send the correct response. Now they're logged in, and could even change the password of the account they just hacked if they wanted to.
My question is this: if traffic sniffers can get around the Challenge / Response login by sniffing the password of people registering or changing their password, then why bother putting in a Challenge / Response login system?
Also, is there something I should be doing with the passwords on the register / change password page besides just hashing them? If so, then I could see the benefit of a Challenge / Response login.
- Nathaniel