|
|
|
|
|
|
by javanix
6266 days ago
|
|
|
I am working rolling my own with Struts/JSP. It seems pretty straightforward (hash pass, place on server, and check against), but I need an easy way to compute an SHA hash in-browser, so the server doesn't have to receive the pass in plaintext. Anyone know of a way to do it with Struts/JSP, or even JS if its not too slow? |
|
|
* The hash you send will probably be password-equivalent; losing it to an attacker is just as bad as losing the password.
* If you're delivering the JS to generate the hash over HTTP, you have exactly the same threat model as with plaintext passwords (attackers will just subst a script that sends the raw password).
* If you have working HTTPS, you already have optimal communications security; just send the password.
* Even if you came up with a challenge-response protocol to make the hash non-replayable, the exchange itself would be vulnerable to a trivial dictionary attack.
Don't bother with this idea. Move on to something that will add real value to your app.