Password Security

Initial password transfer will be RSA-encrypted on the client side, using 1024-bit keys and ohdave's snazzy javascript libraries. This is after MD5ing the password, and HMAC-MD5-combining with their username and a system-wide salt, then MD5ing again. On the server-side, I'll store the hashed and system-salted password, so when they log back in, I'll send a challenge string and the system-salting code and get back a verifiable hash. What could be easier, huh.

Yeah, you get the feeling SSL would have been such overkill, and judging from Meebo's trial, would have buried my poor server. Which reminds me of ongoing DHCP troubles. I'm working around it with a couple poor hacks, but may devote a day just to ease remote admin.

I can't believe it's almost summer.