I've always stored plain passwords in cookies. And today I decided to educate myself about cookies a bit. Well, I was expecting that : you should not store plain passwords in cookies.
Basically, if your computer gets compromised, everyone can read what's in your cookies. So you'd better not store important information that are not encrypted.
What is the work around ? Storing a token + his identification. When someone logs in, I create a random token and store it in the database under its name.
Next time the guy comes around, I see that he has a token, I check if its identification coincides with the token, if it does I log the guy in.
I've seen hardcore implementations where the token (in the database, and in the guy's cookies) is refreshed on every page. I find that a bit troublesome as the cookie expires after 5 days (in my implementation) so it's no big risks.
I could also have put a timestamp forbidding anyone to log in with that token after 5 days. But I feel like it would be over protecting.
塞翁失马
posted December 2013
ran into that fable, made me think of bitcoins and litecoins.
A farmer had only one horse. One day, his horse ran away.
All the neighbors came by saying, “I'm so sorry. This is such bad news. You must be so upset.”
The man just said, “We'll see.”
A few days later, his horse came back with twenty wild horses following. The man and his son corraled all 21 horses.
All the neighbors came by saying, “Congratulations! This is such good news. You must be so happy!”
The man just said, “We'll see.”
One of the wild horses kicked the man's only son, breaking both his legs.
All the neighbors came by saying, “I'm so sorry. This is such bad news. You must be so upset.”
The man just said, “We'll see.”
The country went to war, and every able-bodied young man was drafted to fight. The war was terrible and killed every young man, but the farmer's son was spared, since his broken legs prevented him from being drafted.
All the neighbors came by saying, “Congratulations! This is such good news. You must be so happy!”
The man just said, “We'll see.”
Here it is, Lamborghini is now accepting bitcoins and the first purchase was made for a Tesla.
"Lamborghini Newport Beach is proud to announce that we are fully capable of accepting Bitcoin as legal tender for vehicles, We are excited to be opening the door to this new currency."
more info here
Apparently things are going pretty bad for one of Silk Road's replacement : http://www.reddit.com/r/SheepMarketplace/comments/1ru2kw/sheep_is_down_admin_blames_user_ebook101_for_scam/" target="_blank">Sheep Market place is scamming its users.
Also, the creator might have been found. I'm not a big fan of posting personal info so I'll just post this http://pastebin.com/raw.php?i=9spTATw6" target="_blank">message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2 November 2013, I was contacted on IRC by a pseudonymous chatter, "an
anonymous security hobbyist". He said he had some information for me if I would
swear to keep it secret. I agreed as long as it didn't involve violence like
hitmen.
He had been impressed by [my bet against Sheep &
BMR](http://www.reddit.com/r/SilkRoad/comments/1pko9y/the_bet_bmr_and_sheep_to_die_in_a_year/)
and agreed with me that the official Sheep story about `sheepmarketplace.com`
was too stupid for words, and wanted to share the info with me. He then told me
he had just finished researching Sheep Marketplace and was highly confident that
the operator was a Czech programmer by the name of "Tomáš Ji?ikovský", and
further, earlier that day he had mailed off his results to the FBI. (He also
claimed credit for the BMR & PBF leaks.)
After reading through his results, checking some of the links to see if they
were as described, agreeing with him that Tomas matches the profile for the
Sheep operator uncannily well, and reflecting how stupid I was to not look
harder at sheepmarketplace.com because as soon as you see the forum posts where
Tomas complains about the problems of running a Bitcoin-using hidden service
it's completely obvious that Tomas=Sheep, I suggested he contact Tomas. He
declined, saying he didn't want to spook Tomas (he is not a big fan of drugs),
although he agreed I could release the results within 7 months. The most I
managed to get out of him was permission to [post a cryptographic hash
precommitment](http://www.reddit.com/r/SilkRoad/comments/1ptd6b/precommitment_proof_of_knowledge_about_a/):
$ echo 'Sheep Marketplace was founded and run by Tomáš Ji?ikovský (random
nonce: 19093)' | sha512sum
43a4c3b7d0a0654e1919ad6e7cbfa6f8d41bcce8f1320fbe511b6d7c38609ce5a2d39328e02e9777b339152987ea02b3f8adb57d84377fa7ccb708658b7d2edc
-
I was as precise as I could be at the time; saying it was a precommitment to
Tomas's identity would have clearly breached the agreement.
Anyway, I took his notes, made copies of all the webpages linked in, and
prepared a single compilation in MAFF format:
https://dl.dropboxusercontent.com/u/182368464/2013-11-03-sheepmarketplace-doxxing.maff
The basic overview of the findings:
1. Tomas owns the hosting service for the sheepmarketplace.com VPS server. There
were very few domains hosted there as well, and he controlled several of them.
2. The site itself seemed to be very closely connected to SMP, using the same
basic technologies and possibly a non-public API
3. The official excuse does not wash as sheepmarketplace.com was set up not long after
SMP itself
4. Tomas is the earliest known promoter of SMP (1 February 2013), and recommened SMP &
BMR over Silk Road (11 April 2013)
5. Tomas is a C++ QT Nette Framework Czech developer who runs Ubuntu, exactly like the
SMP developer
6. Tomas has complained about the memory demand of `bitcoind` on a VPS server, and discussed
the difficulties of functionality like email from hidden services
7. Tomas or his girlfriend are active users of Tor, as evidenced by screenshots of their
computer
8. it's not clear what Tomas's current job is 9. but it is clear that
as of October, he was working on an e-commerce site which was having problems
with buggy accounting of deposits
10. Tomas posted a .htaccess file which has the same (buggy) functionality as that of SMP
11. He is an accused Bitcoin scammer
A few of these could be explained as coincidence. But all of them? At this
point, I would rate Tomas as >75% likely to be involved with SMP in some
fashion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iEYEAREKAAYFAlKaXN8ACgkQvpDo5Pfl1oJ+HwCgnQmvBZFTHkzDEHzayEmrTnjB
d+oAnjK0a0UFDwg+wAvkDxsjer6w8rXl
=tYBY
-----END PGP SIGNATURE-----/
poster is http://www.gwern.net/" target="_blank">gwern, http://www.reddit.com/r/SilkRoad/comments/1ptd6b/precommitment_proof_of_knowledge_about_a/" target="_blank">more info on reddit.