On Wed, Jan 5, 2011 at 4:49 PM, ndluthier <[email protected]> wrote:
> Do your needs require you to do ALL of the processing client-side (in > the bookmarklet) or can you do some server-side processing/ > authenticating? > Since the passwords are to be used client-side anyways, I wouldn't even "go there". Always minimize the number of attack-vectors. Since the client must know the unhashed password at least at some point, there's no point in sending it back and forward to a server, increasing the risk of opening an(other) attack vector in the process. I think Lasse's objections are valid and will be very hard to get around, since it'll be hard to create such a script and only use operators, primitives and literals. Maybe not impossible, but very hard (like, where will you save it without using a global method? :) - peter -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
