

There must be a better way to enforce password security... - sellandb

With all of this discussion of password security lately one question I have is why browsers send the contents of a "password" input in plain text at all. Why not have the browsers preform a preliminary one way hash before even sending the data to the server.
True that this is definately not the entire answer to the password storage questions (I know Bcrypt, Bcrypt, Bcrypt) but it would at least be a step in the correct direction and if done properly it would probably eliminate the current epidemic of sites choosing to just store passwords in the clear.
======
mooism2
To avoid attackers sniffing something they can replay, you need to transmit
`salted_hash (whatever_is_stored_in_database)`.

This still leaves the issue of setting your password in the first place. You
have to transmit something an attacker could replay --- your only option for
protecting it is tls. So you might as well use tls for protecting passwords
when logging in as well, and then you don't need the browser to do anything
clever with passwords.

