W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2018

Re: Browser side form encryption

From: Patrick H. Lauke <redux@splintered.co.uk>
Date: Sun, 7 Oct 2018 01:44:32 +0100
To: public-webapps@w3.org
Message-ID: <2a250efc-867a-a78a-9035-799fce559c27@splintered.co.uk>
On 06/10/2018 23:51, Guru Partap Khalsa wrote:
> Presently, to encrypt a password type input without javascript, we are 
> forced to trust a server-side script.
> So that for example, the client is actually required to trust the remote 
> server with their password unnecessarily.
> If there were some standard which defined a way in which <input 
> type="password"> were automatically encrypted with sha and salted with 
> the present domain, it would mean that the server can't ever see the 
> user's password. That way, we can make login systems which can't be 
> compromised under any circumstances.

Until a site needs to move/subtly change its domain. Also, salting with 
the domain name means your salt is known to pretty much anybody, so 
rather pointless?

P
-- 
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke
Received on Sunday, 7 October 2018 00:44:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:15:20 UTC