I'm trying to accomplish this with as little work on the server side as possible. If we could get proper salting working on the server side as it *should* be, a substantial number of the reasons for this method would be eliminated.
The server still can, and I hope it does, however the goal here is to move it client side and get the server out of it. Well, we know the method of public key cryptography, it does not make it less numerically secure. Yes, I am resetting the timer on when they can get it figured out. Right now that time is 0 seconds to oh, say a day. Meanwhile it can take companies several weeks to find, research and announce the breach. That timer moves to a decade in the very least, probably more like 50 years. In a decade, I expect services to crumble (i.e. facebook replaced with something), password policy to require a password change at least once a decade, so no password discovered is still valid by the time it is found. In addition, with buy-in from browsers it stops phishing. All login pages should be pushed to HTML5, and use this proposed feature, then any page not in compliance is considered insecure, just like self-signed certs are considered insecure now by browsers. ________________________________ From: Arthur Clifford <[email protected]> To: [email protected] Sent: Thursday, August 30, 2012 7:19 PM Subject: Re: Securing Password Inputs Why not request the salt from the server? The server could choose whether to always use the same salt or to have rotating salts etc. The problem with specifying how to encrypt things in a public specification is that everybody knows how it is done, and therefore all you are doing is resetting the timer for hackers to figure things out. There should be something provided by servers that the server knows and trusts. -Art C On Aug 30, 2012, at 11:21 AM, Jason H wrote: Would it appease you if it were suggested that the standard be, that if no SALT attribute is supplied on the INPUT field (zero length or not present), the domain name of the ACTION attribute is used. In this way, you can accomplish those consolidations and divestments between domains?
