On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
For authentication, the password shouldn't even be sent over the wire. Instead, the server (which knows the correct password) should send a challenge to the client
Most web setups can't rely on that tho cuz of the lameness of client side scripting...
But at least if the password is sent over https you don't have to worry too much about the wire.
