> > > I do not see how basic hashing of the password is worth much. It simply > changes your password from what you typed, to something hashed off of what > you typed. Right? I suppose you could have some sort of handshake to > determine the salts on a per connection basis, that would help. But, at > this point, it sounds like you are describing a poor attempt at recreating > SSL. > > HTTPS can prevent man-in-the-middle attacks, but it can not in any way be used to guarantee that your entered credentials is not logged or stored improperly at the receiving end. My point is that, as long as everyone agrees about the algorithms, whether you do hash(password) on the server or hash(hash(password)) split between the client and the server, is irrelevant in practice... but only the latter mechanism guarantees that no clear-text password ever enters the remote system. This could be build into HTTP (added to RFC).
-- You received this message because you are subscribed to the Google Groups "Java Posse" group. To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/7Ut4x1Asf20J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
