undefined | Better HN

0 pointsannnnd12y ago0 comments

DON'T! Just don't.

Encrypting user credentials in JS is probably even worse than parsing HTML with regular expressions: http://stackoverflow.com/questions/1732348/regex-match-open-...

Just send it in cleartext, but over properly verified https.

0 comments

2 comments · 2 top-level

mr_luc12y ago

I've read the Matasano whitepaper on why you can't count on Javascript for security, as I imagine you have, and it makes sense. Use https.

That being said, look at something like blockchain.info.

It adds javascript security on top of https, and for (what seems like) excellent reasons.

nopassrecover12y ago

I was just musing hypothetically, but can you elaborate on why this is bad? Surely sending an encoded password is better than a non-encoded one, and in a worst case only as bad as sending a cleartext password (i.e. what happens now).

j / k navigate · click thread line to collapse