Protecting passwords against stealing
Which of these techniques helps in preventing passwords being stolen from the browser?
- Using SSL for the authentication pages
- Using salted hashing for transmitting passwords
- Using an intermediate page after login
- All of the above
The correct answer is d) All of the above.
Use of SSL encrypts all traffic and is good to use for pages that carry sensitive data like the login credentials. But just having SSL is not enough to prevent the password from getting stolen. This aspect is discussed in greater detail in Understanding SSL.
Even if SSL, passwords can be stolen from the browser memory as SSL encrypts only data in transit. The salted hashing technique ensures that the password is safe even against such attacks.
Yet another method for stealing passwords is the browser refresh technique that we discussed in an earlier article. Even on a SSL enabled site, the browser refresh can lead to the adversary logging in without valid credentials. The use of an intermediate page after login is the most secure way to prevent this attack.
Hence all the 3 options mentioned above are different techniques used to prevent various password stealing attacks.
by Santosh Kumar.