The expanses of WolfWings' land
scratched on the wall for all to see


July 24th, 2008
July 24th, 2008
July 24th, 2008
July 24th, 2008
July 24th, 2008

[User Picture]07:54 pm - Secure non-HTTPS password-change protocol... does one exist?
From what I've seen... no. And not 'completely secure' or anything, just as secure/best-practices as HMAC passwords versus plaintext. But there's just basically no way to even remotely secure password-changes that I can find that won't hand the 'keys to the kingdom' to anyone that gets a copy of that one, single HTTP request to the server.

There's a couple of 'public key' based ideas, but they're flat-out not possible in JavaScript due to speed over-heads.

So... Internet Lunatics... anyone know of some research I missed somewhere to provide some cost-effective (in both runtime taken and actual data needed to be stored server-side) method to protect password changes?0 commentsLeave a comment
?

Log in

No account? Create an account