On 20-Aug-06, at 2:23 PM, Rob Church wrote:
On 20/08/06, TDS tds@cloudstormtech.com wrote:
To address privacy concerns, you must complete a quick verification process to ensure that you are indeed who you say you are. From there on in, you just have to click on the log in link and log in. All passwords are stored in a MySQL table using sha-1 and a salt.
Some elaboration on this would be nice.
Rob Church
The process goes as such: 1) you provide a username to the script 2) the script checks to see if the username is valid 3) the script generates the name of a temporary file and asks you to create it in your home directory; to prevent fraud, the name of the file is hashed with a salt so that at the the next step the script can ensure that the name of the file was generated by the script (so a user can't say /public_html/index, etc.) 4) the script checks to see if the file exists; if it does, the script allows you to create a password but you cannot choose a username. again, the username is hashed and the same process is run as above. 5) after registering, passwords are stored as sha-1 hashes with a random salt which is only stored in the salt file
Thanks,
Tim Abdulla