On Oct 27, Tomas Hlavaty scribed:

> not sure if I understand it well but it seems to me that your hash
> becomes the password.  In other words, if I find out the hash, I can log
> in (e.g. using my own client).

Yes, I suppose, but the only way I see you getting the hash is:
a) steal the database
b) be a MITM over https (I don't do passwords over http when I design a
c) browser exploit?  not sure if that's possible

UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to