• (nodebb)

    Hey I have an idea! Let's just ship all software with perpetual cookies sent over SSL and there's no need to do any authentication, ever.

  • TruePony (unregistered)

    The Real WTF is obviously not using Rot13 encryption. I always use Rot13 twice for good measure.

  • Unnamed (unregistered)

    StackOverflow wasn't around in 2005.

  • LCrawford (unregistered) in reply to TruePony

    Rot13 twice on a blank password is the most secure of all.

  • Gumpy_Gus (unregistered)

    I briefly worked at a place that sent their super-secret government-related passwords in.... base64. That is, you could decrypt them with the base64 command. This had been going on for 22 years.

  • my name is missing (unregistered)

    I worked at a university where they had single signon implemented. Basically you logged into a web page and it made a get request to the application passing the username and password as query parameters. Very handy signon once and just save the url.

  • Brian (unregistered) in reply to Gumpy_Gus
    Gumpy_Gus:
    I briefly worked at a place that sent their super-secret government-related passwords in.... base64. That is, you could decrypt them with the base64 command. This had been going on for 22 years.

    And here we learn the difference between encryption and encoding.

  • (nodebb)

    ... except that those characters aren't escaped, because the return value of the replace method is never used...

  • (nodebb) in reply to Brian
    Gumpy_Gus: I briefly worked at a place that sent their super-secret government-related passwords in.... base64. That is, you could decrypt them with the base64 command. This had been going on for 22 years.
    And here we learn the difference between encryption and encoding

    Now we'll learn the difference between encoding and enciphering, the latter being what conversion to base64 does. Encoding would be to use a one-time pad (or, to be exact, some pad ) to encrypt the message. #iseewhatididthere

  • Gumpy_Gus (unregistered) in reply to cellocgw

    Oh, I forgot. Once you typed base64 oaiwdyiausydajz it came back with:

    Contoso1

    and this went to/from port 80, not any fancy TLS port.

  • (nodebb)

    Hmm. Stack Overflow launched in Sept 2008.

  • mitch (unregistered) in reply to Gumpy_Gus

    If it is proper government, it'll say "you're not allowed to decrypt that, go to jail". Instantly secure.

  • (nodebb) in reply to Gumpy_Gus

    That is nothing. I was told that the sensitive, personal information was fine over the internet because it was encoded -- in Unicode. "See all of those spaces in there. That makes it so it is not straight forward to work with"... not a direct quote, but pretty close to it. They were quite serious about it passing the security bar as well.

  • Friedrice the Great (unregistered) in reply to cellocgw

    Sorry, a one-time pad is a cipher, not a code. A cipher operates at the individual character level. A code operates at the word level. So the word "purple" might be encoded as "enigma". An encoded message might then be further enciphered just to make things a bit more difficult for the opposition.

  • I dunno LOL ¯\(°_o)/¯ (unregistered)

    "We send those credentials to the backend using a from submission"

    What is a from submission? Does it need a matching to submission?

  • P (unregistered) in reply to urkerab

    ... except that those characters aren't escaped, because the return value of the replace method is never used...

    Not to mention that the regex is wrong: it should be /\+/g and not /\\+/g because it's a regex literal. /\\+/g actually matches any consecutive group of \s.

    I blame this on Remy not knowing his deal of JS again. Come on, how hard it is to learn JS if even monkeys can write code in it?

  • NevemTeve (unregistered)

    Off: well, yes SSL/TLS does warrant safety. Never mind that even your antivirus software plays MitM attack on your SSL/TLS trafic.

  • Dave (unregistered) in reply to Friedrice the Great

    Pretty much every word of that is wrong. Codes have fixed one to one (or many) relationships between input and output. Ciphers do not, they can encipher the same plaintext in multiple ways.

    A one time pad is a form of cipher. That's why you can use it to encipher any string.

  • (nodebb)

    A code is a mapping from the space of possible messages into some other space (possibly the same one) of representations. Maybe because the communication channel (which includes storage) carrying the message can't handle the original representation, or to improve reliability of the communication in the face of noise.

    Encryption is encoding with additional requirements imposed, driven by the motives of the communicators, to prevent unauthorised access or alteration of the message being communicated.

  • Tino (unregistered)

    The real WTF is, that "challenge" is never used.

  • isthisunique (unregistered)

    It makes more sense to just hash it.

    Though I'm undecided if thou must always has the password is really entirely legit. There's lots of sensitive details you can't hash.

    I am a fan of the public/private encryption strategy combined with hashing. When a user signs up you hash their password as normal then encrypt it and send it down a one way pipe. That one way pipe would permit rehashing the passwords down the line, usually offline as in you take a USB of the encrypted plugins, put it in the airgapped machine, rehash and then put the hashes on the USB, take them back, upload to your server, import into the database.

    I wouldn't trust most people to set that up securely, but then I wouldn't expect most people to setup anything securely.

Leave a comment on “Doubly Encrypted Logins”

Log In or post as a guest

Replying to comment #:

« Return to Article