|
|
|
|
|
|
by throwaway09223
1988 days ago
|
|
|
Not transmitting the password is good practice for the same reason it's good practice to not store passwords cleartext: systems can be compromised. I trust we all agree that storing cleartext passwords in a database and doing a simple string compare is a problem so I won't rehash that bit. If a login server is compromised then attackers can harvest cleartext passwords. It's the same class of problem with a reduced attack surface. There is no good reason to transmit a persistent authentication secret as part of authentication. Just don't do it. |
|
|