Re: <input type=password> with hash function

On 21/07/2021 23:07, Patrick H. Lauke wrote:
> 
> But doing that, the site just revelaed their salt to the world, so 
> anybody who manages to get hold of the user database can crack it with 
> far greater ease.

That's not what is being suggested.  The suggestion is for those 
(basically everyone these days) that doesn't actually use HTTP 
authentication, that the input element should provide something 
analogous to WWW-Authenticate: with digest authentication. What was 
called salt isn't stored in password file, but is what is usually called 
a nonce, and is a short lived random challenge.

Received on Wednesday, 21 July 2021 22:44:15 UTC