Not sure I agree with this, Requiring javascript for login / authentication is crazy as it means those without js can't authenticate. If you allow both methods you just then you increased the the attack vector by 100%.
Ross On Sat, May 9, 2009 at 7:28 AM, Paul Johnston <paul....@gmail.com> wrote: > > Hi, > > Good summary Ben. Mike - no worries for jumping the gun, about 50% of > replies have been similar. I'm still learning how to tailor these > communications to reduce line noise; any suggestions would be welcome. > > In fact, MD5 is fine for this use, the scheme doesn't rely on the > collision resistance property. And I suggest using salts to reduce the > impact of rainbow tables. SHA1 is probably the best bet, simply > because the js file is the smallest. > > General response from TG/Django is basically +0 "we'll probably accept > it if you implement it". Obviously I'm not going to implement this for > every web framework under the sun, but I think I will for repoze.who. > If you guys want to add to AuthKit, happy to help/advise, if someone > else leads. > > I am a security specialist, have worked in web security for many > years. This is a small improvement really. I remember the online > banking site where you could transfer money out of others' accounts, > by tampering with hidden fields. Or the multi-million currency trading > site where you could change the exchange rate in a hidden field. Or > the rich text editor where you could upload a .aspx file and > compromise the server. And many many more :-) > > Paul > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en -~----------~----~----~----~------~----~------~--~---
