On 6 Jul 2011, at 15:43, Robert Newson wrote: > Essentially, in 1.2, I'm saying that the password setting > functionality occurs solely on the Erlang side, it can't be done from > Javascript any more. I'm unsure how controversial that is, but it's my > experience that it's always the server that gets the plaintext of a > password and hashes it for storage, it's only here that I've seen it > done in the client.
There's a reason for this. Unless I'm missing something, if the client is allowed to submit the password hash itself, you may as well be using plaintext passwords. All an attacker would have to do is gain access to the hashes, and use them directly.
