Hi,
> If you want to get this into Django, I think you'll need to provide a solid
> proof of concept that shows you can work around the objections raised in
> this thread (graceful degradation, backwards compatibility) and, more
> importantly, that shows this is something actually useful and
Hi,
> There's still a benefit, because you're sending passwords in the clear
> much less frequently--an imperfect improvement is still an
> improvement. (Similarly, self-signed SSL certificates are much more
> secure than plaintext, despite what your browser's ill-conceived
> warnings might
Hi,
So Django hashes passwords server-side with a per-user salt? In that
case you do need an Ajax request at login to do the hashing. It's easy
enough to create a random (but consistent) response for non-existing
users. Or you could make it a configuration option whether Django uses
per-user or
Hi,
Many web sites have a user name and password login system, and do not
use SSL. As a consequence, users' passwords are transmitted over the
internet unencrypted. This puts them at risk, particularly if the user
is on a shared ethernet segment, or open wireless network.
For many years I have