-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08 Nov 2005, at 7:29 PM, Pat Collins wrote:
On Tue, 8 Nov 2005 18:14:58 +0100, =?ISO-8859-1?Q?Konstantin_K=E4fer?= <kkaefer@gmail.com> wrote :
Hello,
Why should sending the password hashed increase security? Just get the hashed password and provide that to the script (of course not by entering it in the password field but by "faking" the HTTP POST values).
The only way to protect the password is using SSL or TLS.
True, but not everybody can use ssl/tls. What about some kind of authentication checking where the site would keep track of where you have logged in from and upon detection of a change would prompt you with a question that only you would know or send you an email that you would have to respond to before you could gain access?
Like certain ISP's that change the ip of the user with ever request ? 'where you have logged in from' is mostly impossible to determine. - -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDcORSgegMqdGlkasRAmULAKCnx9c10DpansVaIdIOZ5vu62OPUACeKInz mvK7AEjymAqABbxGDVMMRyM= =I4Rd -----END PGP SIGNATURE-----