Hi David, >> not sure if I understand it well but it seems to me that your hash >> becomes the password. In other words, if I find out the hash, I can log >> in (e.g. using my own client). >> > > Yes, I suppose, but the only way I see you getting the hash is: > a) steal the database > b) be a MITM over https (I don't do passwords over http when I design a > site) > c) browser exploit? not sure if that's possible
all these things happen in the real world. That's why securing login is hard and confidential stuff leaks all the time. You could address your current assumptions by, for example: ad a) use hash+salt server side ad b) not sure;-) ad c) don't use javascript MITM is probably hardest to address but a) shouldn't take much effort and c) depends on your application I guess. > I don't do passwords over http when I design a site Does it mean that you do everything over https? Or login only? How do you handle sessions then? In url (like the standard picolisp GUI), in query parameter (using POST) or a cookie? Cheers, Tomas -- UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe
