Hacker News new | comments | show | ask | jobs | submit login

Only doing that won't help. You might as well be transmitting the password, since someone can just copy the hash and then it would be equivalent to having the password. (Also known as a Pass the Hash attack, http://en.wikipedia.org/wiki/Pass_the_hash).

Each website could have a salt. The issue is, if it's not a secure connection, it's vulnerable to hijacks.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact