On Wed, Oct 27, 2010 at 04:21:45PM -0400, David N Murray wrote: > On Oct 27, Tomas Hlavaty scribed: > > > > > not sure if I understand it well but it seems to me that your hash > > becomes the password. In other words, if I find out the hash, I can log > > in (e.g. using my own client). > > > > Yes, I suppose, but the only way I see you getting the hash is: > a) steal the database > b) be a MITM over https (I don't do passwords over http when I design a > site) > c) browser exploit? not sure if that's possible
Or simply create an account for yourself and analyze the encryption of your own password in the client. As the client needs the full information, including the encryption keys, you might crack it easily. -- UNSUBSCRIBE: mailto:[email protected]?subject=unsubscribe
