Posted by Alexander Mueller on 01/09/08 21:38

Disco Octopus wrote:
>
> A few years ago we had implemented a similar concept using javascript
> and hashing of the password pre posting.
>
> As others have mentioned, it did not prevent hackers from obtaining
> the hashed value, which of course was the same value as to be
> retrieved on the server.
>
> Perhaps naivety led us to feel that if the hacker did not know exactly
> what was entered into the form (pre hash), then this was at least some
> form of security.

Of course, attackers can obtain the hashed value, but this is a simple
replay attack and not the primary target of the hashing idea itself.
Here the replay salt comes into play.

>
> I think it is a great idea that you have, and I do hope that it will
> be at least investigated to the nth.

Thank you, if you use Firefox 2 please have a look at the mentioned
extension to see the actual concept.

Alexander

[Back to original message]