On Oct 27, Tomas Hlavaty scribed:
> not sure if I understand it well but it seems to me that your hash
> becomes the password. In other words, if I find out the hash, I can log
> in (e.g. using my own client).
Yes, I suppose, but the only way I see you getting the hash is:
a) steal the database
b) be a MITM over https (I don't do passwords over http when I design a
c) browser exploit? not sure if that's possible