[gameprogrammer] Re: crypt() in windows

From: Matthew Weigel <unique@xxxxxxxxxxx>
To: gameprogrammer@xxxxxxxxxxxxx
Date: Mon, 20 Feb 2006 10:54:31 -0600

Roger D Vargas wrote:

There is some portable way to get a hash from a string? I have to create an user account via php, create a password hash, insert it into the user database and then calculate the hash again in the client side when user logs in to avoid sending the plain password. But I cant find in Visual

If your interest is making it secure, you'll have to stop and think about it a bit more. "How to send a password over the network" is a well-analyzed problem, and there are basically two approaches that (with different tradeoffs).

1. Use a challenge/response mechanism, where the password is never sent but a non-repeatable coded string (based on the password, some uniformly understood time, the hosts involved, etc.) is sent and verified on the server. The main drawback to this system is that passwords must be stored on the server in plain text, or in some recoverable way (i.e., you can't store a one-way hash of the password). The main advantage is that a rogue server masquerading as a legit one can't get your password.

2. Encrypt the channel, using for instance SSL. This allows you to send a plain text password, and you can mitigate the risk of handing your password to a rogue server by verifying the server's certificate and keeping a list of acceptable certificates on the client. However, a worm or trojan or virus that can get on to the client machine can change this. SSL also costs CPU cycles, which may be cycles you wanted to use elsewhere.

Of the two, #2 is probably easier on Windows.
--
 Matthew Weigel
 hacker
 unique@xxxxxxxxxxx


---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

References:

[gameprogrammer] crypt() in windows
From: Roger D Vargas

[gameprogrammer] Re: crypt() in windows

Other related posts: