W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Issues with <input type="hash"> (was Re: New Input type proposal)

From: Matthew Raymond <mattraymond@earthlink.net>
Date: Wed, 16 Jan 2008 06:51:42 -0500
Message-ID: <478DEFCE.8020701@earthlink.net>
To: Alexander Mueller <alexm@gmx.at>
CC: Maciej Stachowiak <mjs@apple.com>, public-html@w3.org

Alexander Mueller wrote:
> Thats the point, the server is sending the replay salt but as it is always different it is not "replayable".

    The trouble is that you're sending a hash, not the password, and you 
can't get a password from a hash because the hash is not an encrypted 
version of the password, but merely a semi-unique number generated from 
the password. Thus, the server would have to know the password in 
advance for the one-time hash solution to work. If that's the case, then 
an attacker need only capture the password when you first create your 
account and it's game over.

    Yes, you can theoretically create a random password and send it by 
email, but that still leaves two problems. First, the user may not 
remember the random password. Second, if someone is monitoring your web 
traffic, how hard can it be to read your email? Encrypt the email? Might 
as well just do encryption from the start and avoid such a complex solution.

    What we need is a better encryption solution, not a better hash 
solution, especially if we're sending one-time sensitive data like 
credit card numbers and the like.
Received on Wednesday, 16 January 2008 11:52:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:52 UTC