W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2018

Re: Browser side form encryption

From: Terence Eden <terence.eden@digital.cabinet-office.gov.uk>
Date: Mon, 8 Oct 2018 06:58:51 +0100
Message-ID: <CACBny7oEtkaSAdQcMjhBWFjo1QX=ycqCBqe5QA5kQwgENyFpkg@mail.gmail.com>
To: Guru Partap Khalsa <horus.scope@gmail.com>
Cc: public-webapps@w3.org
I wrote about this a few years ago.
https://shkspr.mobi/blog/2016/11/password-hashing-in-the-browser/

For example, using something like
`input type="password" encrypt="bcrypt" salt="abc..." rounds="4"
pattern=".{6,}">`

There is discussion in the comments about the disadvantages and
practicalities of this approach.

I still think it would be an interesting idea - but I'm sit sure if it
solves the problem.

On Sun, 7 Oct 2018, 18:46 Guru Partap Khalsa, <horus.scope@gmail.com> wrote:

> It is a shame that if you changed your domain you would have to force
> users to reset their passwords. I did mean hash and not encrypt, that was
> my mistake; the salt (which could optionally have a server generated salt
> on top of that) was intended to prevent the server from being able to
> replay your password to other servers. I'm glad this area of the internet
> is more insightful and understanding toward security analysis than the rest
> of the general public spaces such as stack exchange, where this inquiry and
> many others are met with random hostility and ignorance.
>
-- 
*Terence Eden*
Open Standards
+44 7717 512 963 <+447717512963>
Government Digital Service

View my calendar
<https://calendar.google.com/calendar/embed?src=terence.eden%40digital.cabinet-office.gov.uk&ctz=Europe/London>
Received on Monday, 8 October 2018 05:59:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:15:20 UTC