

Passwords -- The down and dirty. - adamdecaf
http://youfailatsecurity.org/2010/passwords-the-down-and-dirty

======
parenthesis
Of course, dealing with passwords properly on the server is only one side of
the story.

If the connection between client and server is not secure, then an attacker
could intercept a user's password as it travels in plaintext from client to
server. And if a user's login persists by the use of a cookie, an attacker
could impersonate a logged-in user by using their cookie, after intercepting
it as it is sent in plaintext in every request from client to server.

~~~
adamdecaf
Correct, I felt that those were outside of the scope of the post though.
However, as I think about it more they seem fit better and better.

------
adamdecaf
This is my first security related article, thus I'm looking for suggestions
and comments. Thanks

~~~
mooism2
Why no mention of key strengthening?

<http://en.wikipedia.org/wiki/Key_strengthening>

