Login protocol

Question

Login protocol

How should I develop a login protocol in order to be more secure, as I have now?

the client connects and sends its username
the server sends salt (always the same) to the user
the client adds salt to the password hashes and sends them to the server

Thus, the password is hidden all the time, but it does not stop the hacker from simply copying the hash if he can forward it and send it after receiving the password ...

+1

security .net login

Peter Mar 04 '09 at 11:52

source share

4 answers

, , , , , . , ( -, , , "--", ), , , , .

, , , .

+2

Jon Skeet 04 . '09 11:56

.

, - (SSH, SSL...). , - - - , .

, - , "" ".

+1

moonshadow 04 . '09 12:28

Step 2 seems to be a bigger weakness. If you can make sure the server sends a “big enough” salt and NEVER the same salt, twice (I suspect a small portion of decent random numbers plus an increment counter, then hashing MAY be enough, but I can’t prove that it’s ), this is likely to be enough. Also, follow the ssg instructions and encapsulate it all in an SSL session.

0

Vatine Mar 04 '09 at 12:08

source share

Sedat kapanoglu · Accepted Answer · 2009-03-04T12:00:41+0000

Leave the security for the higher level protocol (SSH, SSL) and keep it simple.

Login protocol

More articles: