|
|
|
|
|
|
by gpm
2786 days ago
|
|
|
I separately assume a salt is part of my hash function. Salts only help with rainbow tables (an admirable goal, but not my one here). I can trust the site to deploy the correct javascript more than I can trust it not to steal passwords because - That is auditable - it is impossible for a malicious site to do so without risking being caught. - The HTML/JS can be served from static cloud storage that is far less likely to be hacked than the server running a DB verifying passwords. |
|
|
Hardly. Minimization and obfuscation is trivial, and you can ensure the output is always different in order to defeat auditing. Not great for caching obviously, but 'auditability' is not achievable if the server is determined to fool you.
> - The HTML/JS can be served from static cloud storage that is far less likely to be hacked than the server running a DB verifying passwords.
Password are simply not where you want to leverage your security. If you can find a document example of a real threat that this approach would have mitigated, then I'll take it seriously.