Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA

Subject: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Date: Fri, 26 Aug 2005 10:23:46 -0700
From: Tony Fraser <suppressed>

On Fri, 2005-08-26 at 06:49, Michael Peters wrote:
> > Using crypt() is a good start but better would be to use Digest::MD5 or
> > similar with a server side secret like was discussed in the
> > CAP::LinkIntegrety thread earlier. Also as was discussed in the
> > CAP::LinkIntegrety thread it might be worth including the clients IP
> > address in the hash.
> 
> The main reason I use crypt is because it won't give the same results
> everytime with the same string. You just need to randomize the salt.
> What are the advantages of MD5 over DES (which is what crypt uses)? My
> understanding is that DES is actually an encryption but MD5 just creates
> a digest, or summary. You can't break DES enrcryption except for brute
> force, but digests can be reverse engineered (they just make it really
> hard to change the original data without resulting in a new digest).

Actally, most modern UNIX's use MD5 for their crypt function. If you
system allows passwords longer than 8 characters chances are that it
uses MD5. Another way to check is to check if your password hash (in
/etc/shadow) starts with "$1$". That's kind of a magic string that tells
a lot of crypt()s to use MD5 instead of DES.

The problem with crypt() is that it publishes the salt. Assuming that
captcha's are always 6 _digits_ and the salt that was used to create the
hash is publicly available (as part of the hash) it wouldn't take a
whole lot of resources to brute force the captcha. By using Digest::MD5
you can more easily control what information is included in the hash and
you can keep the salt or "server secret" secret, as in not send it over
the wire.

-- 
Tony Fraser
suppressed
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

References:
- [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
  - From: Jason A. Crome
- Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
  - From: Michael Peters
- Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
  - From: Tony Fraser
- Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
  - From: Michael Peters

Prev by Date: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Next by Date: RE: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Previous by thread: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Next by thread: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.