- From: Patrick H. Lauke <redux@splintered.co.uk>
- Date: Sun, 7 Oct 2018 01:44:32 +0100
- To: public-webapps@w3.org
On 06/10/2018 23:51, Guru Partap Khalsa wrote: > Presently, to encrypt a password type input without javascript, we are > forced to trust a server-side script. > So that for example, the client is actually required to trust the remote > server with their password unnecessarily. > If there were some standard which defined a way in which <input > type="password"> were automatically encrypted with sha and salted with > the present domain, it would mean that the server can't ever see the > user's password. That way, we can make login systems which can't be > compromised under any circumstances. Until a site needs to move/subtly change its domain. Also, salting with the domain name means your salt is known to pretty much anybody, so rather pointless? P -- Patrick H. Lauke www.splintered.co.uk | https://github.com/patrickhlauke http://flickr.com/photos/redux/ | http://redux.deviantart.com twitter: @patrick_h_lauke | skype: patrick_h_lauke
Received on Sunday, 7 October 2018 00:44:56 UTC