[sldev] [Viewer Auth] Office hour high points.

Callum Lerwick seg at haxxed.com
Wed Oct 17 18:01:11 PDT 2007


On Wed, 2007-10-17 at 19:34 -0500, Argent Stonecutter wrote:
> > Challenge-response is only used to make sure a secret doesn't cross  
> > the network unencrypted.
> 
> Challenge-response is also used to make sure that the security token  
> provided is not replayable.

Challenge-response also requires the server know the password plaintext.
Standard security practice on Unix systems, and for anyone with any
sense at all, is to one-way hash passwords, so that the password
plaintext isn't ever stored even in the backend. This greatly increases
overall security, as someone hacking the server and stealing the
database only gets a bunch of hashes, which they then have to brute
force for them to be any use.

If Linden Lab isn't doing this on their backend, they're doing it wrong,
and should not be trusted with financial information.

SSL is the correct answer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20071017/3fa66f6f/attachment.pgp


More information about the SLDev mailing list