Re: JS and security.
- From: "Jim Davis" <newsmonkey@xxxxxxxxxxx>
- Date: Fri, 2 Sep 2005 16:16:16 -0400
"Roger" <crosseyedpenguin@xxxxxxx> wrote in message
> Jim Davis wrote:
>> There's no sense (although I'm willing to be conviced) in attempting to
>> encryption, key management, credential management, etc should all be
>> centralized and rigidly controlled.
> sent to the server. Most users use the same passwords for multiple
> applications, so sniffing out a users password on one application may
> lessen the security on other applications the user has access to.
I can see the point... but have two issues with this:
1) Doing "good" encryption is difficult to do in script (it's slow and
they're language issues). So, for the most part it'll be weak encryption
2) In my opinion no passwords should be sent across an open pipe anyway: SSL
should always be used. This is MUCH stronger encryption that you'd get with
script and eliminates any benefit to manually encrypting the password.
However if you're unable to use SSL then this might be a "better that
> It is better for the user's point of view to never let the host have
> access to the user's raw password. Therefore, none of the dishonest
> employees with access to the user file on the host will have access to the
> user's password.
Ah - but you're not talking about encrption here (sorry to be a jerk - this
is a pet peeve of mine). This is called "hashing".
Encyption implies that you can retrieve the data again (to be plain
encyption implies unencryption). Hashing, on the other hand, is more like a
"fingerprinting" - it's an identification technology. While a fingerprint
can be used to identify somebody it can't be used to recreate the whole
For hash generation I can definately see some use for doing it on the
client-side. There are still issues. (For example hashes, especially for
small values, aren't unique - so many possible passwords could have the same
hash - any of which would work to get into the user's account.)
But there is definately some value in it, you're right.
- Re: JS and security.
- From: Roger
- Re: JS and security.
- Prev by Date: cross browser multipart form handling
- Next by Date: Re: Test for Security Settings
- Previous by thread: Re: JS and security.
- Next by thread: Re: JS and security.