Securing a website...storing hashed passwords?

From: David Whitney (intrepid_dw_at_hotmail.com)
Date: 07/27/03 

Date: 27 Jul 2003 06:14:54 -0700

Hello, all...

I've been trying to become smarter about the proper way to improve the
security for a web site that presumably won't have an SSL option. I
keep going in a bit of a circle, so I thought I'd solicit some
opinions.

Here's my intent:

The server will supply a random value to a login page. The user will
enter a password, and a javascript routine will combine that password
with the random value and create an MD hash. That hash will be sent to
the server on submit of the page.

On the server end, I'll take the user's password (and here's the
confusion for me), the random number, recompute the hash, and if that
and the submitted hash match, access is granted.

This scheme presupposes the availability of the original password on
the server, presumably in a database - but cleartext pw's in the
database are obviously a nono. The preferred scheme is to store a
hashed password in the database; but if I do that, I can't reconstruct
the password to compute the hash based on the random value the server
supplies to the login page. If I encrypt the password into the
database, I have a key management issue, eg storing either a symmetric
or private key in a web configuration page.

So either I'm storing an important key in a config file and relying on
file security, or I'm putting a plaintext/encrypted password in the
database, so either way it seems I'm violating a rule. Is it a matter
of risk management, or am I missing something more fundamental?

I hope this makes some sense; I'm composing this message in a hurry
and I'm not sure it's written as clearly as I'd like....thanks for
your patience!

Thanks,
-David

p.s. Please reply to group; email in header is long dead.

Relevant Pages
Loading