On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote:

> I'm toying with the idea of having the passwords hashed twice: they're
> already in the database hashed, and javascript hashes them on the
> client before sending them over, but I'm thinking about sending an
> additional salt to the client to hash the hashed passwords with salt,
> and that's what is sent back. This way, each login is done with a
> different hash of the password so an attacker cannot simply capture
> and reuse the hashed password.
> But before all that goes on, I have to decide what to do about leading
> and trailing spaces.

Toy with it and discard it. Client side hashing / salting is not a good idea. A 
much better alternative is to use SSL.


Joshua Kehn | josh.k...@gmail.com

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to