@Marvin: I was talking of a salted hash where not even the client
knows what salt is going to be used coz it will be a rand() function
which will get called. And no the server must not be allowed to accept
just a plain text password -- it rarely happens that way because it
will run the hash() over the Plain text and wont get what it wants.
You will need to send the hash which you now cannot predict because of
teh salt. Then again if the slat also gets captured as you say -- due
to a lack of https its game over. I never said this is a replacement
for HTTPS -- it is just defense in depth I am talking about.
Cheers
Arvind
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 21 2008
Intro
