Timeline for Should I obfuscate passwords before hashing? Should I pre-hash them on the client? What about salts?
Current License: CC BY-SA 3.0
3 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 8, 2012 at 16:53 | comment | added | Iiridayn | wrt Q1a, even though the hash is password equivalent, it is not the password - hashing is designed to prevent damage due to leaks. However, an attacker who can intercept and read network traffic can probably also alter traffic - eg, by introducing custom javascript to capture the password before your javascript hashes it. That the password is not any better protected is an important argument against javascript hashing. | |
| Apr 25, 2011 at 21:38 | vote | accept | Mike S | ||
| Apr 25, 2011 at 19:55 | history | answered | Thomas Pornin | CC BY-SA 3.0 |