[WEB SECURITY] XKCD on password reusej
Sebastian Schinzel
ssc at seecurity.org
Thu Sep 16 15:38:37 EDT 2010
Hi Michael,
One addition:
> 1. Client side hashing really doesn't provide any security benefits, if
> anything it can create a false/incorrect sense of security as we've seen
> in this thread. Yes, there may be a few edge cases where its sort of
> good, but let's stick to the fundamentals first
Client-side hashing and subsequent server-side hashing has the advantage that a man-in-the-middle does not learn the cleartext password of the victim.
This is no "edge case" but a useful security measure given the fact that most users use at least similar passwords for different applicatons.
Makes sense?
Cheers,
Sebastian Schinzel
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
the confirmation email
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
More information about the websecurity
mailing list