Re: [whatwg] Passwords

On 2014-10-17 17:09, Nils Dagsson Moskopp wrote:
> Roger Hågensen <rescator@emsai.net> writes:
>
>> Also http logins with plaintext transmission of passwords/passphrases
>> need to go away, and is a pet peeve of mine, I detest Basic
>> HTTP-Authentication which is plaintext.
> Note that Basic Auth + HTTPS provides reliable transport security.

This precludes that a site has a certificate, and depite someone like 
StartSSL giving them out free, sites and forums still do not use HTTPS.
Also, Basic Auth is also plaintext so the server is not Zero Knowledge.

>
>> Hashing the password (or passphrase) in the client is the right way to
>> go, but currently javascript is needed to make that possible.
> Do you know about HTTP digest authentication?
> <http://en.wikipedia.org/wiki/Digest_access_authentication>
>
Yes, and it's why I said "Basic HTTP Authentication", Digest is the 
better method of HTTP Authentication.
And I know that very well and it's very underdeveloped, there is no 
logout possible (you stay logged in until the browser session is ended 
by the user),
and styling the login is not possible and it's not as easy to implement 
with AJAX methods.


-- 
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/

Received on Saturday, 18 October 2014 17:54:31 UTC