Hacker News new | comments | show | ask | jobs | submit login

It's perfectly possible to use md5 to hash a password in Javascript before transmitting it by HTTP. There isn't a huge security benefit to doing so, however.



Only doing that won't help. You might as well be transmitting the password, since someone can just copy the hash and then it would be equivalent to having the password. (Also known as a Pass the Hash attack, http://en.wikipedia.org/wiki/Pass_the_hash).


Each website could have a salt. The issue is, if it's not a secure connection, it's vulnerable to hijacks.


You can send a salted md5 password, which is how I implemented it years ago. The salt is supplied by the server and attached to the session.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: