Joshua Kehn wrote:
On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote:
I'm toying with the idea of having the passwords hashed twice: they're
already in the database hashed, and javascript hashes them on the
client before sending them over, but I'm thinking about sending an
additional salt to the client to hash the hashed passwords with salt,
and that's what is sent back. This way, each login is done with a
different hash of the password so an attacker cannot simply capture
and reuse the hashed password.
But before all that goes on, I have to decide what to do about leading
and trailing spaces.
Toy with it and discard it. Client side hashing / salting is not a good idea. A much better alternative is to use SSL.
indeed, and on reflection, if you're putting this much effort in to it,
and security is a worry, then forget username and passwords, and issue
each user with a client side RSA v3 certificate and identify them via
the public key of the cert.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
