Hi David,

>> not sure if I understand it well but it seems to me that your hash
>> becomes the password.  In other words, if I find out the hash, I can log
>> in (e.g. using my own client).
> Yes, I suppose, but the only way I see you getting the hash is:
> a) steal the database
> b) be a MITM over https (I don't do passwords over http when I design a
> site)
> c) browser exploit?  not sure if that's possible

all these things happen in the real world.  That's why securing login is
hard and confidential stuff leaks all the time.

You could address your current assumptions by, for example:

ad a) use hash+salt server side
ad b) not sure;-)
ad c) don't use javascript

MITM is probably hardest to address but a) shouldn't take much effort
and c) depends on your application I guess.

> I don't do passwords over http when I design a site

Does it mean that you do everything over https?  Or login only?  How do
you handle sessions then?  In url (like the standard picolisp GUI), in
query parameter (using POST) or a cookie?


UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to