On Tue, Dec 28, 2010 at 21:57, Nathan Rixham <nrixham@xxxxxxxxx> wrote: > Don't trim or limit the range of input characters, but far more importantly > /don't send passwords in clear text/, indeed don't generate passwords at > all, let users enter there desired password, then they won't be copy and > pasting them ;) > > ps: if unavoidable, then give some advice on "login" failure like "passwords > are case sensitive, check you don't have caps lock on and that you haven't > included any additional spaces". > I'm toying with the idea of having the passwords hashed twice: they're already in the database hashed, and javascript hashes them on the client before sending them over, but I'm thinking about sending an additional salt to the client to hash the hashed passwords with salt, and that's what is sent back. This way, each login is done with a different hash of the password so an attacker cannot simply capture and reuse the hashed password. But before all that goes on, I have to decide what to do about leading and trailing spaces. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php