- From: Terence Eden <terence.eden@digital.cabinet-office.gov.uk>
- Date: Mon, 8 Oct 2018 06:58:51 +0100
- To: Guru Partap Khalsa <horus.scope@gmail.com>
- Cc: public-webapps@w3.org
Received on Monday, 8 October 2018 05:59:26 UTC
I wrote about this a few years ago.
https://shkspr.mobi/blog/2016/11/password-hashing-in-the-browser/
For example, using something like
`input type="password" encrypt="bcrypt" salt="abc..." rounds="4"
pattern=".{6,}">`
There is discussion in the comments about the disadvantages and
practicalities of this approach.
I still think it would be an interesting idea - but I'm sit sure if it
solves the problem.
On Sun, 7 Oct 2018, 18:46 Guru Partap Khalsa, <horus.scope@gmail.com> wrote:
> It is a shame that if you changed your domain you would have to force
> users to reset their passwords. I did mean hash and not encrypt, that was
> my mistake; the salt (which could optionally have a server generated salt
> on top of that) was intended to prevent the server from being able to
> replay your password to other servers. I'm glad this area of the internet
> is more insightful and understanding toward security analysis than the rest
> of the general public spaces such as stack exchange, where this inquiry and
> many others are met with random hostility and ignorance.
>
--
*Terence Eden*
Open Standards
+44 7717 512 963 <+447717512963>
Government Digital Service
View my calendar
<https://calendar.google.com/calendar/embed?src=terence.eden%40digital.cabinet-office.gov.uk&ctz=Europe/London>
Received on Monday, 8 October 2018 05:59:26 UTC