On 080110 at 12:20, Alexander Mueller wrote: > > Could be nice to do that, so there would be no way from javascript to > > get the original value the user has typed. > Thats one point, however as you wrote if the page itself is altered > there is already a much bigger problem, therefore the primary idea > behind the hashing is to prevent that the plain text password is > transmitted over the network.
So its not working against MITM or impersonating the server. The plaintext pw is not transmitted and can not be read by, say, XSS-stuff. But why would anybody care about the plaintext pw if one only needs its hash to authenticate to the server? Additionally, offline dictionary attacks tend to be easy when dealing with passwords. It also doesn't help you to hide the fact that you use the same password over at some other site, as the hashes are the same. secret=hash(realm||pw) could be used to counter that. With secure web authentication (hopefully) comming soon, I think this hash-field is a bad idea. PW-logins should either be dropped alltogether(hello, Nelson :)) or mechanisms like SRP should be employed to enhance their security. SRP inside SSL: https://bugzilla.mozilla.org/show_bug.cgi?id=405155 SRP inside HTTP: https://bugzilla.mozilla.org/show_bug.cgi?id=356855 Corresponding UI: https://bugzilla.mozilla.org/show_bug.cgi?id=268835 There could be other applications besides protecting logins. But I think SSL covers most of them. Thats my 2 cents, at least. /steffen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
