Hi, So Django hashes passwords server-side with a per-user salt? In that case you do need an Ajax request at login to do the hashing. It's easy enough to create a random (but consistent) response for non-existing users. Or you could make it a configuration option whether Django uses per-user or per-site salts - the security benefits of per-user salts are minor.
To answer the other points: 1) Making this fall back to unencrypted when JS is disabled is no problem. 2) It does have security benefits over a plaintext password. The response is not a password-like credential; it is only valid for one login (or the timeout period, if used in stateless mode). If you don't understand this, read up on challenge-response login. Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
