RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> if SSL traffic can be sniffed and decrytped by 
> someone in your subnet or by somone that compromised 
> one of your routers creating something like a GRE 
> tunnel, then you're f*****

Whilst this is true, MITM and sniffing both rely on something else to be
broken before they are of any practical use (keys already obtained, a
fake trust hierarchy to be accepted by a client etc.).  SSL works fine
when implemented properly.

> About how to store password in the db:
> A salt is always recommended, but if you store password 
> hashed with sha-256 or even 512 you're almost safe, despite 
> the rainbow tables ;) 

The salt is the thing that makes the rainbow tables ineffective; all
common hash algorithms are prone to rainbow tables, because they are
*common* and designed for general data throughput, not as password
specific hashes. 

Martin...


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA