[Seaside] Proper password hashing
Sebastian Sastre
sebastian at flowingconcept.com
Mon Apr 11 13:23:15 UTC 2011
Why? I mean why do that instead of salt-hashing it while relying on SSL for the client side?
On Apr 10, 2011, at 4:19 PM, Peter Kwangjun Suk wrote:
> I have a question about login forms like this:
>
> (html form)
> defaultAction: [self confirmLogin];
> with:
> [(html heading)
> level3;
> with: 'Welcome to my site'.
> html bold: 'Enter login name:'.
> (html textInput)
> withValue: '';
> callback: [:v | self login: v].
> html bold: 'Enter password:'.
> (html passwordInput)
> callback: [:c | self password: ((SHA2 hash: c)
> asHexString asLowercase) ].
> (html submitButton)
> text: 'Login!'].
>
> Isn't it the case that the password will be sent in plaintext up to
> the server, and only then will be hashed? Wouldn't one have to write
> Javascript to hash the password client-side, stuff it into a hidden
> form field, clear out the password field, and have >that< request sent
> up to the server? (Right now, I'd rather do that than put up an SSL
> server.)
>
> --Peter
>
> --
> There's neither heaven not hell,
> save what we grant ourselves.
> There's neither fairness nor justice,
> save what we grant each other.
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
More information about the seaside
mailing list