WingNews logo WingNews
top | item 23434680

(no title)

Sir_Substance | 5 years ago

>and it does further protect the users password from being harvested from passive MITM'd SSL like it is on some corporate networks.

It might protect the password if the user is reusing it elsewhere, but it doesn't protect the account the password is securing during the intercepted transmission.

The MITM attacker can just replay the hash.

discuss

order

nucleardog|5 years ago

No reason the server can’t provide a nonce for the login to salt the hash.

Sir_Substance|5 years ago

Now the server has to store the password in plain text so it can rehash with the new nonce every time.

withinboredom|5 years ago

And how would the server know the desalted hash?