Hacker News new | ask | show | jobs
by bhandziuk 1359 days ago
Plain text?? A user's password is hashed...You don't need a paint text password to compare text encrypted with it to other text encrypted in the same method. Either they match or they don't. The user's hashed password doesn't leave the server and plain text is never involved.
1 comments
b3morales 1359 days ago
If you use the password's hash as a key, the plain text no longer matters, because the hash is now the thing that an attacker needs to forge a credential. So your database is effectively storing the real password, as if you had not used a hash.
link
bhandziuk 1359 days ago
I think I see what you're saying but how would that be useful still? Like is an attacker has a hash of the users password they still don't have the server secret.
link