W3C home > Mailing lists > Public > public-html-comments@w3.org > August 2012

Re: Securing Password Inputs

From: Arthur Clifford <art@artspad.net>
Date: Thu, 30 Aug 2012 16:19:07 -0700
To: public-html-comments@w3.org
Message-Id: <CA30EFA5-7CF7-4C70-9BB0-8E1C002DBA62@artspad.net>
Why not request the salt from the server?
The server could choose whether to always use the same salt or to have rotating salts etc. 
The problem with specifying how to encrypt things in a public specification is that everybody knows how it is done, and therefore all you are doing is resetting the timer for hackers to figure things out. There should be something provided by servers that the server knows and trusts.


-Art C


On Aug 30, 2012, at 11:21 AM, Jason H wrote:

> Would it appease you if it were suggested that the standard be, that if no SALT attribute is supplied on the INPUT field (zero length or not present), the domain name of the ACTION attribute is used. In this way, you can accomplish those consolidations and divestments between domains?
Received on Thursday, 30 August 2012 23:19:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 30 August 2012 23:19:31 GMT