Steve Morrey wrote:
What has me worried is that $user_password is hashed prior to this function by an SHA1 function written in Javascript, prior to being passed in to PHP. This means that we are comparing the hash of a hash, which we all know is generally considered bad practice.
Agreed, double hashing is bad, for the reasons you outlined. Additionally, if the client program is transmitting a hash to the server, I hope it's also SSL encrypting the transmission or the system is subject to replay attack. Hashed passwords don't really buy you any security for transmission (since they are subject to replay attack). They are mostly used so the password never has to be stored in the DB in clear text.
--Dave /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
