Question about data access

[KGB1st]

Today I thought about one interest situation. It's concern login server users' registration and authentication.
Can you tell me about secure transfer beetween client and server. Is sniffer can compromise user login and password?

I think in a certain degree it can to do this. So I ask to you: how I can secure accounts of my users?

[Sacrifice]

Seccondary Auth. Check configs in High Five branch.

[KGB1st]

Seccondary Auth. Check configs in High Five branch.

and what can I see?

I ask about serious traffic sniffers and protocol attacks..

[Sacrifice]

Seccondary Auth. Check configs in High Five branch.

and what can I see?

I ask about serious traffic sniffers and protocol attacks..

We cant do nothing...

[canislupus]

Today I thought about one interest situation. It's concern login server users' registration and authentication.
Can you tell me about secure transfer beetween client and server. Is sniffer can compromise user login and password?

I think in a certain degree it can to do this. So I ask to you: how I can secure accounts of my users?

The attacker would have to dehash the password (very very time consuming)

Its so time consuming, that its not even worth it.

If you plan on adding account management to your website, you must enforce https, and make sure you are not leaving any access to the database. I've seen people have their php scripts containing database credentials left accessible.
Remember to set up a firewall and hold the door.

[KGB1st]

hold the door...

[HorridoJoho]

When the users computer has a virus which steals passwords, you can't prevent account stealing. Because the virus can localy always hook the location where the account credentials are encrypted before they get encrypted. You can never secure account credentials when the users machine itself is compromised.

The best way you can do is to provide asymmetric cryptography over the course of the data transmissions. But when that key to decrypt the message from the other side is transmitted over the same device, a sniffer only needs to be present at the time the keys are exchanged and can read what the other side is sending. This only solves that nobody can fake messages from the other side because the sniffer don't have the private key for encrypting traffic. But it can fake messages to the other side.

To make absolutely sure, you would have to introduce another authentication device, like sending a mobile message to the phone number of the users account, which requires the mobile device to send a message back to grant login access. That is the only way to protect from users compromised machine and unauthorized logins. Credentials however can always be stolen when the users machine is compromised.

[KGB1st]

Thanks. I read your post and fully understand it, but I think that mob msg and SSL certificate's very dearly for easy server
proxy's dearly too. So we can do it with client side SSL + iptables, but problem in client, we must huck and rewrite more code

[Zoey76]

Someone else could confirm but I don't think the client supports SSL.

[canislupus]

Just use diffie-hellman so you dont have to worry about managing and protecting the private key.

Cryptography will protect the data while its in transit, but it wont protect a user with a keylogger installed in his machine