containing the RC5 checksums of real files,
You mean MD5 checksum?
This isn't secure
on
Javascrypt
·
· Score: 3, Insightful
The problem with hashing a password with js and then just sending the hash is that the hash effectively becomes the password. i.e. all someone needs to do is eavesdrop your http session and record the hash value. The attacker can then send that same hashed value to the server and login as you.
The server must hash the password itself or it isn't secure. Or the hash value must be protected as much as the password.
Slashdot Mirror
containing the RC5 checksums of real files, You mean MD5 checksum?
The problem with hashing a password with js and then just sending the hash is that the hash effectively becomes the password. i.e. all someone needs to do is eavesdrop your http session and record the hash value. The attacker can then send that same hashed value to the server and login as you.
The server must hash the password itself or it isn't secure. Or the hash value must be protected as much as the password.