Re: Issues with <input type="hash"> (was Re: New Input type proposal)

Matthew Raymond wrote:
> 
>     The trouble is that you're sending a hash, not the password, and you 
> can't get a password from a hash because the hash is not an encrypted 
> version of the password, but merely a semi-unique number generated from 
> the password. Thus, the server would have to know the password in 
> advance for the one-time hash solution to work. If that's the case, then 
> an attacker need only capture the password when you first create your 
> account and it's game over.

The server wouldnt need the password but only its hash. It is correct that an attacker having captured the registration transmission would be able to do this, but this is no different from the current solution and I'd assume most attacks dont exactly target registrations but rather logins.

> 
>     What we need is a better encryption solution, not a better hash 
> solution, especially if we're sending one-time sensitive data like 
> credit card numbers and the like.

Well, thats what SSL is for and I dont think we need a better one here. However there we still have the issue of the actual password being revealed to the server side. Furthermore SSL is not extremely popular in terms of majority, whereas almost every site is using hashed passwords.

Alexander
-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

Received on Wednesday, 16 January 2008 12:04:17 UTC