Re: Authenticating with Django without the password being sent to the server

2017-01-14 Thread Florian Apolloner
I am not going to comment on the security side of things here, since as others already commented: you do not win much security wise. If you are worried about plaintext password leaks via MITM, use TLS - period On Saturday, January 14, 2017 at 7:24:24 PM UTC+1, Chris Priest wrote: > > Has anyone

Fellow Report - January 14, 2017

2017-01-14 Thread Tim Graham
Triaged --- https://code.djangoproject.com/ticket/27689 - FileSystemStorage().get_valid_name() may return empty string (wonfix) https://code.djangoproject.com/ticket/27703 - Template language type annotations (needsinfo) https://code.djangoproject.com/ticket/27701 - Document that

Re: Authenticating with Django without the password being sent to the server

2017-01-14 Thread Melvyn Sopacua
On Saturday 14 January 2017 10:24:24 Chris Priest wrote: > The way django's authentication system works is that when you > register, you send the password to the server, then the server runs > that password through some hashing algorithms, then the resulting > hash is stored in the database. When

Re: Authenticating with Django without the password being sent to the server

2017-01-14 Thread Markus Holtermann
That's as correct, Anthony. Any you then want to hash the hash so that you can't just login knowing the hashed password when the database is leaked. Essentially you haven't won anything. Second, how do you make sure the JavaScript is properly transmitted and doesn't contain any code that sends

Re: Authenticating with Django without the password being sent to the server

2017-01-14 Thread Anthony King
Chris, then the password is the hash itself. It doesn't really have any security benefits. Disclaimer: I'm not a security expert On 14 Jan 2017 18:24, "Chris Priest" wrote: > The way django's authentication system works is that when you register, > you send the password to

Authenticating with Django without the password being sent to the server

2017-01-14 Thread Chris Priest
The way django's authentication system works is that when you register, you send the password to the server, then the server runs that password through some hashing algorithms, then the resulting hash is stored in the database. When the user logs in, the password again is sent to the server,