[cap-talk] Why petnames should not be used for password hashes.

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Thu Aug 25 17:56:51 EDT 2005


M. Scott Doerrie wrote:
> Karp, Alan H wrote:
> 
>> Do you mean http sites?  That's very dangerous since there's no way to
>> verify who you're really talking to.  PwdHsh uses part of the URL for
>> https sites, but I don't see how you can change a password without
>> ending up with a different one for each site.
>>
> That's exactly the case that petnames can't handle: when I would like to 
> authenticate myself, without authenticating the entity I'm communicating 
> with.  In many cases, such as being at a public terminal reading news or 
> blogs from sites that "need" a password.

The vast majority of such sites should not be using passwords.
I have a high-security login, a low-security login, and a "why the hell
does this need a password at all?" login. The latter is username "dhopwood",
password "foobar", and you're free to use it.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list