[Seaside] Proper password hashing
Boris Popov, DeepCove Labs
boris at deepcovelabs.com
Sun Apr 10 19:36:06 UTC 2011
If the attacker sniffs username/hash of a legit user, he can then add
the hash to his own login form as a hidden field manually and gain
access to your system. SSL is the only way to go here.
Hope this helps,
From: seaside-bounces at lists.squeakfoundation.org
[mailto:seaside-bounces at lists.squeakfoundation.org] On Behalf Of Peter
Sent: 10 April 2011 15:20
To: Seaside - general discussion
Subject: [Seaside] Proper password hashing
I have a question about login forms like this:
defaultAction: [self confirmLogin];
with: 'Welcome to my site'.
html bold: 'Enter login name:'.
callback: [:v | self login: v].
html bold: 'Enter password:'.
callback: [:c | self password: ((SHA2 hash: c)
asHexString asLowercase) ].
Isn't it the case that the password will be sent in plaintext up to the
server, and only then will be hashed? Wouldn't one have to write
field, clear out the password field, and have >that< request sent up to
the server? (Right now, I'd rather do that than put up an SSL
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
seaside mailing list
seaside at lists.squeakfoundation.org
More information about the seaside