
Secure Passwords sans SSL - jmonegro
http://terrbear.org/?p=210
======
cperciva
This is security FAIL. I repeat, DO NOT DO THIS.

Without SSL, you have no guarantee that the login form has not been tampered
with; instead of hashing the password and sending the hash to the real server,
an attacker can substitute a page which doesn't do any hashing and sends the
password to the attacker.

(Technically there's a slight benefit, in that this will protect you from
purely passive attacks. But the odds of that distinction mattering are
approximately zero.)

------
lsc
how is this different from http digest authentication?

