undefined | Better HN

0 pointsestel13y ago0 comments

It's perfectly possible to use md5 to hash a password in Javascript before transmitting it by HTTP. There isn't a huge security benefit to doing so, however.

0 comments

3 comments · 2 top-level

omra13y ago· 1 in thread

Only doing that won't help. You might as well be transmitting the password, since someone can just copy the hash and then it would be equivalent to having the password. (Also known as a Pass the Hash attack, http://en.wikipedia.org/wiki/Pass_the_hash).

wisty13y ago

Each website could have a salt. The issue is, if it's not a secure connection, it's vulnerable to hijacks.

Tloewald13y ago

You can send a salted md5 password, which is how I implemented it years ago. The salt is supplied by the server and attached to the session.

j / k navigate · click thread line to collapse