[erlang-questions] Two beautiful programs - or web programming made easy
Wed Feb 16 13:08:51 CET 2011
Indeed, but I didn't say that I refuse to use such a web site.
However, I will be restrictive on such a site when entering
information in forms and such.
On Wed, Feb 16, 2011 at 10:58, Robert Raschke <rtrlists@REDACTED> wrote:
> Well, I would have thought that kind of depends on what you're wanting to
> protect, and who from, no? Would you refrain from using a forum if they sent
> you your password?
> When talking about security there is no such thing as a general approach.
> You need to look at the particular threats and risks to figure out how much
> and how good your security must be.
> This threat and risk analysis appears to be common practice in other fields,
> but tends to be ignored in the IT world, where a whole industry revolves
> around some magical maximum security.
> On Wed, Feb 16, 2011 at 7:54 AM, Håkan Huss <huss01@REDACTED> wrote:
>> You didn't really time the function, you made sure that the second
>> page was non-existant and checked whether or not it had been created
>> after the call. See for instance
>> Anyway, no-one stores passwords in plain text these days, right? (I
>> always check the "forgot password" mechanism of web sites that I sign
>> up to. If they can send me my password I tend to be wary of their
>> security. If they offer to reset my password, they at least got one
>> thing right...).
>> On Wed, Feb 16, 2011 at 07:17, Bengt Kleberg <bengt.kleberg@REDACTED>
>> > Greetings,
>> > Google does not find anything about this so from memory:
>> > The password had to be stored on two different virtual memory pages. You
>> > started with the first character on page one, and the rest on page 2.
>> > The library function that checked if this was the right password would
>> > return faster if the character on page one was correct. After trying all
>> > possible first characters you would then know the correct character.
>> > Then put both the correct first character and another (probably wrong)
>> > character one virtual memory page one, the rest on page two. Repeat.
>> > bengt
>> > On Tue, 2011-02-15 at 21:59 +0100, Robert Virding wrote:
>> >> ----- "Jesper Louis Andersen" <jesper.louis.andersen@REDACTED> wrote:
>> >> > Beware the side-channel attack. Crypto done right, mathematically, is
>> >> > not secure anymore. You need certain functions to take the same
>> >> > amount
>> >> > of time always, or you can gleam off bits from information theoretic
>> >> > attacks.
>> >> This reminds of something from the annals of history, from the golden
>> age of computing. Apparently on a Dec-10 you could tell how many of the
>> characters in an attempted password were correct by the time it took for the
>> system to return that it was an illegal password. Or so the legends say.
>> >> Robert
>> > ________________________________________________________________
>> > erlang-questions (at) erlang.org mailing list.
>> > See http://www.erlang.org/faq.html
>> > To unsubscribe; mailto:erlang-questions-unsubscribe@REDACTED
>> erlang-questions (at) erlang.org mailing list.
>> See http://www.erlang.org/faq.html
>> To unsubscribe; mailto:erlang-questions-unsubscribe@REDACTED
More information about the erlang-questions