On Sun, Mar 16, 2008 at 12:29 AM, Dave Smith <[EMAIL PROTECTED]> wrote:
> Steve Morrey wrote: > > What has me worried is that $user_password is hashed prior to this > function > > by an SHA1 function written in Javascript, prior to being passed in to > PHP. > > This means that we are comparing the hash of a hash, which we all know > is > > generally considered bad practice. > > > > Agreed, double hashing is bad, for the reasons you outlined. > Additionally, if the client program is transmitting a hash to the > server, I hope it's also SSL encrypting the transmission or the system > is subject to replay attack. Hashed passwords don't really buy you any > security for transmission (since they are subject to replay attack). > They are mostly used so the password never has to be stored in the DB in > clear text. If you don't need/want SSL, you could implement something similar to digest authentication (rfc2617) to protect the password and provide a measure of protection against replay attacks. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
