Is this login scheme safe?

Question

Is this login scheme safe?

Here is what I got for the webapp login scheme. There will be two salts in the database and hmac (hmac (password, salt1), salt2).

When the user goes to the login page, he gets salt1. If it is activated by javascript, instead of sending the plaintext password, it will send hmac (password, salt1). If it does not have javascript, the plaintext password is sent.

So, on the server, when we receive a login request, we first check what is sent (passwordSent), against hmac (passwordSent, salt2). If this does not work, we will try hmac (hmac (passwordSent, salt1), salt2).

Someone accessing the database will not be able to log in using password hashes, and I don't think (but maybe I'm wrong) that multiplies hmacs by hash resistance. Can any good cryptography expert see the obvious mistake I may have made?

+3

login cryptography hash

Arkh Feb 09 '10 at 15:10

source share

4 answers

. "--" , HTTP, SSL.

; nonce/OTP , , , . .

, - , . , MD5, , ( , ). , bcrypt, .

, , , . .

+4

Aaronaught 09 . '10 15:31

, , .

, - HTTPS, .

+1

pinkgothic 09 . '10 15:22

You might want to check out HTTP Digest authentication . This is a standardized protocol that avoids using a text password anyway.

0

deamon Feb 09 '10 at 15:30

source share

H. Green · Accepted Answer · 2010-02-09T15:20:10+0000

This is a bit like security through the unknown, why use javascript to hash the password on the client side if you still accept a plain text password from the client?

, https, https, . https, MITM , , javascript, , .

hmac , , , ( ) . MD5, , , , .

, , , . . --Aaronaught

!

Is this login scheme safe?

More articles: