On 20-Aug-06, at 2:23 PM, Rob Church wrote:
On 20/08/06, TDS <tds(a)cloudstormtech.com>
wrote:
To address privacy concerns, you must complete a
quick
verification process
to ensure that you are indeed who you say you are. From there on
in, you
just have to click on the log in link and log in. All passwords
are stored
in a MySQL table using sha-1 and a salt.
Some elaboration on this would be nice.
Rob Church
The process goes as such:
1) you provide a username to the script
2) the script checks to see if the username is valid
3) the script generates the name of a temporary file and asks you to
create it in your home directory; to prevent fraud, the name of the
file is hashed with a salt so that at the the next step the script
can ensure that the name of the file was generated by the script (so
a user can't say /public_html/index, etc.)
4) the script checks to see if the file exists; if it does, the
script allows you to create a password but you cannot choose a
username. again, the username is hashed and the same process is run
as above.
5) after registering, passwords are stored as sha-1 hashes with a
random salt which is only stored in the salt file
Thanks,
Tim Abdulla