Reply to post: Re: Storing passwords in plain text?

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data


Re: Storing passwords in plain text?

I hate to tell you, but there's protocols that are actually somewhat underspecified in terms of what encoding the password should be in, effectively reducing you to 7bit ASCII as common denominator. (HTTP Auth, I'm looking at you.)

And your hash-in-the browser scheme is somewhat flawed: whatever you give the service to recognize you by, that's de facto the password. The server can't tell if you use 2000 rounds of bcrypt every time to derive it from your first pet's maiden name or if it's just wgo4387gwheo34 by chance and you send that directly. Yes, you can build something like "Server tells the client to run X iterations, server runs N-X iterations and only has the N-iteration hash on file", which is basically challenge-response, but frankly, the answer to "the service has something like my password" is public key crypto, and that's even baked into TLS (client auth), and HTML5 had extra support for that by way of the keygen element, but browsers are actively removing those capabilities, and the UI was always pretty horrible, and server-side, it was always a bit of a dark art.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021