|
|
|
|
|
|
by tptacek
6266 days ago
|
|
|
This is kind of silly: * The hash you send will probably be password-equivalent; losing it to an attacker is just as bad as losing the password. * If you're delivering the JS to generate the hash over HTTP, you have exactly the same threat model as with plaintext passwords (attackers will just subst a script that sends the raw password). * If you have working HTTPS, you already have optimal communications security; just send the password. * Even if you came up with a challenge-response protocol to make the hash non-replayable, the exchange itself would be vulnerable to a trivial dictionary attack. Don't bother with this idea. Move on to something that will add real value to your app. |
|
|