|
Posted by Alexander Mueller on 01/09/08 21:22
Unfortunately Disco Octopus' posting isnt listed on my newsserver, so I
have to reply to myself .....
Disco Octopus wrote:
>
> A few years ago we had implemented a similar concept using javascript
> and hashing of the password pre posting.
>
> As others have mentioned, it did not prevent hackers from obtaining
> the hashed value, which of course was the same value as to be
> retrieved on the server.
>
> Perhaps naivety led us to feel that if the hacker did not know exactly
> what was entered into the form (pre hash), then this was at least some
> form of security.
Of course, attackers can obtain the hashed value, but this is a simple
replay attack and not the primary target of the hashing idea itself.
Here the replay salt comes into play.
>
> I think it is a great idea that you have, and I do hope that it will
> be at least investigated to the nth.
Thank you, if you use Firefox 2 please have a look at the mentioned
extension to see the actual concept.
Alexander
[Back to original message]
|