I am not going to comment on the security side of things here, since as
others already commented: you do not win much security wise. If you are
worried about plaintext password leaks via MITM, use TLS - period
On Saturday, January 14, 2017 at 7:24:24 PM UTC+1, Chris Priest wrote:
>
> Has anyone
Triaged
---
https://code.djangoproject.com/ticket/27689 -
FileSystemStorage().get_valid_name() may return empty string (wonfix)
https://code.djangoproject.com/ticket/27703 - Template language type
annotations (needsinfo)
https://code.djangoproject.com/ticket/27701 - Document that
On Saturday 14 January 2017 10:24:24 Chris Priest wrote:
> The way django's authentication system works is that when you
> register, you send the password to the server, then the server runs
> that password through some hashing algorithms, then the resulting
> hash is stored in the database. When
That's as correct, Anthony. Any you then want to hash the hash so that
you can't just login knowing the hashed password when the database is
leaked. Essentially you haven't won anything.
Second, how do you make sure the JavaScript is properly transmitted and
doesn't contain any code that sends
Chris, then the password is the hash itself. It doesn't really have any
security benefits.
Disclaimer: I'm not a security expert
On 14 Jan 2017 18:24, "Chris Priest" wrote:
> The way django's authentication system works is that when you register,
> you send the password to
The way django's authentication system works is that when you register, you
send the password to the server, then the server runs that password through
some hashing algorithms, then the resulting hash is stored in the database.
When the user logs in, the password again is sent to the server,