I'm not sure why you think that would be a better way? Assuming you are
already using TLS correctly (2048 bit keys, TLS v1.2, proper cipher suites,
forward secrecy, etc. etc.) a simple way to achieve much higher security is
to support two factor authentication.
There are a number of systems fo
I am not going to comment on the security side of things here, since as
others already commented: you do not win much security wise. If you are
worried about plaintext password leaks via MITM, use TLS - period
On Saturday, January 14, 2017 at 7:24:24 PM UTC+1, Chris Priest wrote:
>
> Has anyone
On Saturday 14 January 2017 10:24:24 Chris Priest wrote:
> The way django's authentication system works is that when you
> register, you send the password to the server, then the server runs
> that password through some hashing algorithms, then the resulting
> hash is stored in the database. When t
That's as correct, Anthony. Any you then want to hash the hash so that
you can't just login knowing the hashed password when the database is
leaked. Essentially you haven't won anything.
Second, how do you make sure the JavaScript is properly transmitted and
doesn't contain any code that sends off
Chris, then the password is the hash itself. It doesn't really have any
security benefits.
Disclaimer: I'm not a security expert
On 14 Jan 2017 18:24, "Chris Priest" wrote:
> The way django's authentication system works is that when you register,
> you send the password to the server, then the
The way django's authentication system works is that when you register, you
send the password to the server, then the server runs that password through
some hashing algorithms, then the resulting hash is stored in the database.
When the user logs in, the password again is sent to the server, and
