Originally posted by Artemesia Lakener:
I have two basic login/password questions --
1. In J2EE, what's the most common implementation technique for login/pwd ? I read some servlet books, it says that you can use "FORM" or "BASIC" schema and create some user/pwd on web container server. But that doesn't sound like commercial style. How does yahoo handle it ? It can't use this mechanism because it allows users to create by themselves.
DIL-A-NADAN
SCJP 1.4, SCWCD 1.3, SCBCD 1.3
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Originally posted by Roger Chung-Wee:
FORM-based authentication is as insecure as Basic authentication as the username/password are not encrypted.
Originally posted by Roger Chung-Wee:
Digest authetication is more secure as an MD5 digest of the password is sent in. But the problems with this authentication are lack of browser support (I think it's only IE5 and later) and lack of servlet container support as the servlet spec does not mandate it.
Originally posted by Gerardo Tasistro:
Really? So if I post the digest over http I'm safe? Not really! I just snatch your MD5 digest and send it myself. Since your app compares MD5 from client with MD5 in dbase I already have your access!!! Plus now all the MD5s in your database are good as password access codes by anyone.
Originally posted by Gerardo Tasistro:
Without SSL you're lost. The salt model without SSL still offers no security because I know the MD5 and the salt being used. If I get a hold of your MD5 database I can crack open any account instantly.
[ February 06, 2006: Message edited by: Gerardo Tasistro ]
Originally posted by Anupam Sinha:
How would you get hold of the MD5 database?
Originally posted by Anupam Sinha:
But how would a SSL protect against an attack on the DB.
Originally posted by Anupam Sinha:
Secondly if someone can access and modify the host file then someone can very well set up a keylogger as well.
[ February 06, 2006: Message edited by: Anupam Sinha ]
Catch Ernie! Catch the egg! And catch this tiny ad too:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
|