Hi Danielo In the scenario you outline one normally wouldn't encrypt the password hash in transit to the server, instead just passing the salted password hash and relying on SSL for transit security.
This article is quite a good summary of the issues involved in creating and handling password hashes: https://crackstation.net/hashing-security.htm Generally, I'd suggest being very cautious in the area of encryption. Usually, we program by hacking and modifying our code iteratively until it appears to work. That approach flat-out doesn't work with encryption. It's incredibly easy for inexperienced people to inadvertently introduce weaknesses into a security protocol. Using standard algorithms like the Stanford JavaScript Library doesn't help much because it is so easy to use those algorithms incorrectly. Speaking for myself, I've considered implementing password security in TW but decided to avoid it because I don't think I'm qualified to do so. My strategy would be to use an existing library which has been tested and verified by others. Best wishes Jeremy. On Tue, Dec 2, 2014 at 2:10 PM, Danielo Rodríguez <[email protected]> wrote: > Hello, > > As part of TiddlyDrive I have plans to allow user-based autentication. > Here is how I have planned it: > > > - Password is saved as a hash on server side > - Password is hashed before sending and encrypted using some kind of > public-private key pair > - The password hash is un-encrypted on the server side with the > private key and compared with the hashed password. > - I want to say that the communication is made under HTTPS > > The question is, how can I implement this? I took a look at the Stanford > Javascript Crypto Library, and I think it can be done with it, but I have > no experience with this library neither with security, so I will appreciate > any help or advise on how to implement this. > > Regards. > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWikiDev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/tiddlywikidev. > For more options, visit https://groups.google.com/d/optout. > -- Jeremy Ruston mailto:[email protected] -- You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/tiddlywikidev. For more options, visit https://groups.google.com/d/optout.
