Minor fixes (mainly textual) for v{2,3,4,5,7,8,11}

[ssproject1617.git] / report / v2_authentication.tex

diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex
index b0b6889..08c35be 100644 (file)
--- a/report/v2_authentication.tex
+++ b/report/v2_authentication.tex
@@ -127,7 +127,7 @@ force and password hash recovery attacks.
 
 \begin{result}
     Password are stored in database using the PHP function \texttt{crypt}. Internally, this
-    function uses salted MD5. This is way too reverse with brute-force attacks using dictionary files.
+    function uses salted MD5. This is way easy too reverse with brute-force attacks using dictionary files.
 
     Instead it would be better to use the \texttt{argon2} password hashing algorithm
     or the PHP \texttt{password\_hash} function (which currently uses BCRYPT).
@@ -199,7 +199,8 @@ attacks.
         \item Email validation, to harden brute force email address discovery
         \item Installation database check, to prevent guessing attacks for the database password
         \item Login, to prevent login guessing
-        \item And comment submission, to prevent spam, phishing et cetera (by using CAPTCHA).
+        \item And comment submission, to prevent spam, phishing et cetera (by
+        using some CAPTCHA software).
     \end{itemize}
 \end{result}
 
@@ -221,7 +222,7 @@ you extracted testcms to.
     \end{verbatim}
     This implies making the configuration file readable for all users on the
     system. This information should not be accessible for any user other than
-    running the PHP script.
+    the one running the PHP script.
 \end{result}
 
 \item
@@ -275,7 +276,7 @@ commonly chosen passwords and weak passphrases.
 
 \begin{result}
     No password strengthening measures are implemented. The app should
-    use some password strength estimator like \texttt{zxcvbn}.
+    use some password strength estimator like \texttt{zxcvbn}\footnote{\url{https://github.com/dropbox/zxcvbn}}.
 \end{result}
 
 \item