|
|
|
|
|
|
by kerkeslager
3263 days ago
|
|
|
If it's a field on inputs of type password, all you'd get is something like: <input type='password' password-nonce='42'></input> Browsers that support the password-nonce argument sign as I described. Browsers that don't support it pass through the password and the server performs the ZKPP key generation (this is no worse than the current system of hashing passwords). So servers can implement this immediately without worrying about breaking in non-supporting browsers. After adoption by a few major sites, browsers can add a warning that the server didn't send a password nonce and the password will be passed to the server so the user has to click "Okay" before it gets submitted. This can be escalated to more severe messages to pressure more sites to comply. |
|
|