Joel is right. A "known plaintext" attack is very effective... and sending a sample of
you encryption to anyone is risky.
Also, just for information sake, you can recover passwords from digest form... sort
of. Ever heard of "Crack" or "John the Ripper"?
If you enforce strong passwords then it is much more difficult, but the "known
plaintext" attack will still succeed, eventually. Even 128 bit encryption has been
broken this way. To make things worse, if a user can set his/her password to
"password" I'd give your security 10 minutes before it cracks.
I have a suggestion that might help. You could send cookie that is just a pointer to a
file location or a key of a database on your server. One of you severs could use the
(more or less) harmless information that you send in the cookie to look up what the
digest password would be.
That would prevent "the evil hacker" from breaking into your site using data that you
are sending to him/her.
Cybear
------------------------------------------------------------------------------------
> Curtis,
> are you sure that sending the digest back to the client in cookie form is a
> good idea?
>
> I mean, if I were a hacker, could I not register and then retrieve the
> digest - you then have the plain text and the cipher text. (admittedly you
> would have to know that whats in your cookie is a digest rather than another
> form of session id but stilll...)
>
ps - hackers are called hackers because they play with things. Eventually, if you site
is interesting enough, someone would try decrypting the info in the cookie.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
