[cap-talk] Why petnames should not be used for password hashes.
david.nospam.hopwood at blueyonder.co.uk
Thu Aug 25 17:56:51 EDT 2005
M. Scott Doerrie wrote:
> Karp, Alan H wrote:
>> Do you mean http sites? That's very dangerous since there's no way to
>> verify who you're really talking to. PwdHsh uses part of the URL for
>> https sites, but I don't see how you can change a password without
>> ending up with a different one for each site.
> That's exactly the case that petnames can't handle: when I would like to
> authenticate myself, without authenticating the entity I'm communicating
> with. In many cases, such as being at a public terminal reading news or
> blogs from sites that "need" a password.
The vast majority of such sites should not be using passwords.
I have a high-security login, a low-security login, and a "why the hell
does this need a password at all?" login. The latter is username "dhopwood",
password "foobar", and you're free to use it.
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk