Challenge/Response Login: Register / Change Pass Security?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Challenge/Response Login: Register / Change Pass Security?

Post by Nathaniel »

So I just read Maugrim's Challenge / Response login tutorial (I had read it before, but not for the purpose of using the system), and the idea sounds good. However, a system is only as secure as its weakest link.

Say I put the challenge / response system in place on my login page. Hackers give up trying to sniff the passwords of people logging in. Instead, they just move to sniffing the passwords of people registering or changing their password. Yes, I could use the sha256 js function to hash the passwords before sending them across the network (instead of having PHP hash them), but it would lack the challenge system, since we need to know the hashed value of the password so we can store it in the db.

Then the password is going across the network as a hash, which isn't all that great. The hackers can sniff the hash and login with that: load up a login page, grab the challenge code generated, and use their own version of the login form to send the correct response. Now they're logged in, and could even change the password of the account they just hacked if they wanted to.

My question is this: if traffic sniffers can get around the Challenge / Response login by sniffing the password of people registering or changing their password, then why bother putting in a Challenge / Response login system?

Also, is there something I should be doing with the passwords on the register / change password page besides just hashing them? If so, then I could see the benefit of a Challenge / Response login.

- Nathaniel
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Changing passwords doesn't happen that often. That's about it. Remember: challenge/response is a workaround . Ideally, you should be using https.
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

AGISB raised the same question I had. I should have done a bit of searching before posting this topic.

Ok, SSL it is.
Post Reply