On Dec 28, 2010, at 3:18 PM, Dotan Cohen wrote: > I'm toying with the idea of having the passwords hashed twice: they're > already in the database hashed, and javascript hashes them on the > client before sending them over, but I'm thinking about sending an > additional salt to the client to hash the hashed passwords with salt, > and that's what is sent back. This way, each login is done with a > different hash of the password so an attacker cannot simply capture > and reuse the hashed password. > > But before all that goes on, I have to decide what to do about leading > and trailing spaces.
Toy with it and discard it. Client side hashing / salting is not a good idea. A much better alternative is to use SSL. Regards, -Josh ____________________________________ Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
