Page 1 of 1

User signup, best practice

Posted: Wed Aug 09, 2006 11:03 am
by MrKaizer
I've read this very fine tutorial on authentication viewtopic.php?t=38810 by maugrim - and I've implemented is succesfully. No problems there. My concern is of the signup process.

Basically part of the princip of the authentication, as I understand it, is that neither password nor the hash of the password is send, so replay attacks cannot be performed. The user sends sha(user:sha(pass):server-challenge). However if an attacker sniffed sha(pass) (or a plain-text pass) during registration he could easily create such an reply to the server (I guess?) - he would have the user and sha(pass) from the signup, and the server-challenge is sent with the login-form. It wouldn't take the five minutes till timeout for the attacker to assemble sha(user:sha(pass):server-challenge)?

Is this an unavoidable risc, are the some measurements that can be made to reduce the risc or have I misunderstood something, so it is not really a risk at all? Or maybe there is a better way than the obvious to do registration, which I haven't thought of at all?

Security is important to me, however signing up and logging in shouldn't require all too many steps, if unavoidable..

Thanks in advance.

Posted: Wed Aug 09, 2006 11:09 am
by feyd
SSL.

Posted: Wed Aug 09, 2006 5:27 pm
by MrKaizer
Alright thanks, I'll consider that.