I've read this very fine tutorial on authentication viewtopic.php?t=38810 by maugrim - and I've implemented is succesfully. No problems there. My concern is of the signup process.
Basically part of the princip of the authentication, as I understand it, is that neither password nor the hash of the password is send, so replay attacks cannot be performed. The user sends sha(user:sha(pass):server-challenge). However if an attacker sniffed sha(pass) (or a plain-text pass) during registration he could easily create such an reply to the server (I guess?) - he would have the user and sha(pass) from the signup, and the server-challenge is sent with the login-form. It wouldn't take the five minutes till timeout for the attacker to assemble sha(user:sha(pass):server-challenge)?
Is this an unavoidable risc, are the some measurements that can be made to reduce the risc or have I misunderstood something, so it is not really a risk at all? Or maybe there is a better way than the obvious to do registration, which I haven't thought of at all?
Security is important to me, however signing up and logging in shouldn't require all too many steps, if unavoidable..
Thanks in advance.
User signup, best practice
Moderator: General Moderators