undefined | Better HN

0 pointsscottydelta11y ago0 comments

Even if they 'check that the cleartext you send them when logging in is doubled before hashing half of it' and calculate hash of the doubled string, what will they check it against? They don't have the hash of double the string until and unless they were storing the plain-text.

0 comments

3 comments · 1 top-level

ars11y ago· 2 in thread

They have the hash of the original password.

They just check if the entered password is doubled identically, then compare half of it to the hash.

TimSchumann11y ago

Correct me if i'm wrong here, but to do what you're saying they could/should do here we basically have three options...

1) Storing the password in plaintext. 2) Sending the password over the wire in plaintext. 3) Computing two hashes on the same system (presumably) via the same function, with a known relationship between their inputs.

I guess the fourth option is they have a securely stored hash of the password, but that still wouldn't allow them to compute the 2x hash server side so we're looking at another round trip and/or number three above.

Not confidence inspiring.

ars11y ago

> Correct me if i'm wrong here

Yes, you are wrong.

> we basically have three options

Or sending the plaintext password over the wire using SSL?

You are aware that to use a hash the server needs the plain text password right? And not just them, every server needs this?

You are acting like getting the plaintext password is something strange. It's not.

You can send the password encrypted or not, it has nothing to do with the hash on the server.

> but that still wouldn't allow them to compute the 2x hash

As I have said already, they are not computing the 2x hash.

j / k navigate · click thread line to collapse