[sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-

Matthew Dowd matthew.dowd at hotmail.co.uk
Wed Nov 28 03:13:47 PST 2007

Previous message: [sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-
Next message: [sldev] [POLICY] Browser and web security vs the client.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Wed, 2007-11-28 at 09:47 +0000, Matthew Dowd wrote:
>> Of course, hashing is of limited protection if someone has grabbed the
>> backend database, as they are now in a position to run large scale
>> dictionary attacks on the hashes at their leisure on their own
>> equipment!
> 
> Which requires time. Time enough to detect the intrusion and reset
> everyone's  password, instantly invalidating the stolen database.

Most intrusions remain undetected until they are exploited for malicious purposes!

However, I think the bottom line is:

SSL server verification has a number of advantages but also a number of disadvantages
Challenge-Response has a number of advantage but also a number of disadvantages

It isn't a clear cut decision which is the most appropriate, and I certainly wouldn't want to rule out either off hand (and there may be a third way).

However, staying with an XML-RPC authentication procedure would allow either approach (or even both).

Moving to a web form automatically rules out challenge response.

Matthew
_________________________________________________________________
Telly addicts unite!
http://www.searchgamesbox.com/tvtown.shtml

Previous message: [sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-
Next message: [sldev] [POLICY] Browser and web security vs the client.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list