On Thu, Jan 17, 2013 at 3:20 AM, Casper Bang <[email protected]> wrote:
> > On Monday, January 14, 2013 11:16:56 PM UTC+1, Ryan Schipper wrote: >> >> That said, why does the password (in particular) need to be tracked? I >> can think of a very good reason not to track it: mistyped passwords. >> Consider how many times you mistype your password. If a computer system >> were to track my mistyped passwords, the database containing those would >> become a treasure trove for internal fraudsters. >> >> > The problem is that, as a user, we have no idea what goes on on the server > side of a secure connection we POST credentials to. We have to entirely > trust the developers behind any given service, which can be hard to do at > times. > > If HTTP included a mechanism to automatically hash the password (one can > hand-code this today, but it's not common and it's not visible to the user > of a service), this whole issue of password logging and theft would go > away. The mechanism should probably include an optional salt, so that even > attacks using rainbow tables on stolen log files would be useless. > I do not see how basic hashing of the password is worth much. It simply changes your password from what you typed, to something hashed off of what you typed. Right? I suppose you could have some sort of handshake to determine the salts on a per connection basis, that would help. But, at this point, it sounds like you are describing a poor attempt at recreating HTTPS. -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
