Re: New Input type proposal

Alexander Mueller wrote:

Quote:

J.O. Aho wrote:

As you mentioned your system would prevent the administrator from
knowing your
password, then the password has to be hashed already at the site, and
therefore the hashing has to be the the same in the form as on the
site, or
else you would always fail the login or the site has to spend long
time with
cracktools to be able to find out the password and then has it the way
it's
hashed on the site.

Sorry I dont really know what you are exactly meaning.

I think he's talking about the salt. Do you pass the salt with the
form submit, if you do, what is the security advantage?

All this looks a bit like unix password encryption where no one knows
the password, only if it is wrong. What would the application be?

Jeff

Quote:

Again, please reread my initial posting, I guess everything should be
clear then . The system wouldnt know the plain text password (which it
doesnt need) but only the hash code. This can then be compared to the
stored hash code. The only difference is the computation of the hash
happens locally - no brute force, no same passwords.

Alexander