|
|
|
|
|
|
by Joeri
4836 days ago
|
|
|
That's true only for the initial password creation. During verification you could send down two salts, the real salt and a session salt. You double-hash the password on the client with both salts, and the server hashes on the server with the session salt. The hash that gets sent over the wire cannot be used for replay attacks. I don't think it adds much security though. If you don't trust the channel to properly protect the transmitted password, it's not possible to build a trusted relationship with the server. You have to assume ssl works. |
|
|