On Dec 28, 2010, at 3:29 PM, Nathan Rixham wrote: > Joshua Kehn wrote: >> On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote: >>> I'm toying with the idea of having the passwords hashed twice: they're >>> already in the database hashed, and javascript hashes them on the >>> client before sending them over, but I'm thinking about sending an >>> additional salt to the client to hash the hashed passwords with salt, >>> and that's what is sent back. This way, each login is done with a >>> different hash of the password so an attacker cannot simply capture >>> and reuse the hashed password. >>> >>> But before all that goes on, I have to decide what to do about leading >>> and trailing spaces. >> Toy with it and discard it. Client side hashing / salting is not a good idea. A much better alternative is to use SSL. > > indeed, and on reflection, if you're putting this much effort in to it, and security is a worry, then forget username and passwords, and issue each user with a client side RSA v3 certificate and identify them via the public key of the cert. I just realize that this would also completely solve your trim() problem! Regards, -Josh ____________________________________ Joshua Kehn | Josh.Kehn@xxxxxxxxx http://joshuakehn.com
