Was just wondering if you ever considered also encrypting the Name in the cookies as well ? Would require an extra field in the DB to hold the encrypted name and changes to any user/pass code that takes the name from the cookie, but it would double the security imo
Getting a cookie now gives you a starting point to hack an account e.g the Members Logon Name so people with "weak" passwords i.e password, bob, qwerty, fred etc could easily be guessed without the need to brute force them, encrpting the name also means a potential attacker really has nothing to go on.
I don't see where this is a help. Anybody can use the login feature to enter any name they want. Create an account and you can search the members list to find the names of other members or just look at the names on the post (doesn't require an account). Enter that name and then the easy password guesses and you basically have the same thing.
We can have a random login key stored in the cookie instead of the encrypted pw, which is unique and changed every time the user logs on. see discussions here: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=33072
Topic Locked
Posted - 09 October 2002 : 19:36:08
