[sldev] [VWR] Improving Authentication Security

Jason Giglio gigstaggart at gmail.com
Sat Sep 29 12:25:14 PDT 2007


Yes, I think it may be more constructive to discuss alternatives at this 
point.

Nicholaz Beresford wrote:
> 1) Let the current login mechanism remain (maybe with
> increased security like using CRAM-MD5 instead of MD5
> which would have avoided the recent exploit).

Honestly, when I heard that the viewer was only sending a plan hashed 
password like a year+ ago, I assumed that CRAM-MD5 or a similar 
challenge-response type system would be employed to fix this issue. 
It's a no-brainer.

> 2) If there is a need to offer increased security for
> those who want it, have an option to generate a one time
> password on the website and either copy/paste that into the
> viewer's password field or *optionally* launch it via
> secondlife:// viewer (for convenience, where that works).

That might be good, the way credit card companies allow one-time-use 
credit card numbers for entering on sites you don't trust.  It's a 
system we know can work.

> Offer to generate lists of such passwords for printing/storing,
> e.g. to take with you for use in internet cafes, for use on
> devices or situations where no trusted browser is available
> (trusted enough to go to the website to log in with the
> master password to generate a one time password) or where
> www.secondlife.com is simply down.

This might raise some issues, making them persist longer, we have to 
watch out regarding brute-force/dictionary computability and the 
persistence window length.


> Make this a *CHOICE*, which people could engage if they
> are dealing with clients they don't fully trust or when
> logging into accounts which have valuable assets.

Yes.

-Jason


More information about the SLDev mailing list