[Seaside] Proper password hashing

Boris Popov, DeepCove Labs boris at deepcovelabs.com
Sun Apr 10 19:36:06 UTC 2011


If the attacker sniffs username/hash of a legit user, he can then add
the hash to his own login form as a hidden field manually and gain
access to your system. SSL is the only way to go here.

Hope this helps,


-----Original Message-----
From: seaside-bounces at lists.squeakfoundation.org
[mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf Of Peter
Kwangjun Suk
Sent: 10 April 2011 15:20
To: Seaside - general discussion
Subject: [Seaside] Proper password hashing

I have a question about login forms like this:

   (html form)
       defaultAction: [self confirmLogin];
            [(html heading)
                with: 'Welcome to my site'.
            html bold: 'Enter login name:'.
            (html textInput)
                withValue: '';
                callback: [:v | self login: v].
            html bold: 'Enter password:'.
            (html passwordInput)
                callback: [:c | self password: ((SHA2 hash: c)
asHexString asLowercase) ].
            (html submitButton)
                text: 'Login!'].

Isn't it the case that the password will be sent in plaintext up to the
server, and only then will be hashed?  Wouldn't one have to write
Javascript to hash the password client-side, stuff it into a hidden form
field, clear out the password field, and have >that< request sent up to
the server?  (Right now, I'd rather do that than put up an SSL


There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
seaside mailing list
seaside at lists.squeakfoundation.org

More information about the seaside mailing list