[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] Username token profile comments
An additional comment on this profile: In the Threat Model section, it should be stated that, while it is an improvement over PasswordText, PasswordDigest is not perfect. It is vulnerable to a dictionary attack. Including Nonce+Created at the beginning of the digested material makes precomputation of a digest list impossible, but the password may be found by mounting an offline attack using a single message sample. Using well-chosen (unguessable) passwords and/or transport or message confidentiality would help mitigate this threat. --Pete Pete Wenzel <pete@seebeyond.com> SeeBeyond Standards & Product Strategy +1-626-471-6311 (US-Pacific)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]