undefined | Better HN

0 pointsjarkhen5y ago0 comments

That protects against an attacker reading network traffic. It does not protect against an attacker that has the hashed password from the DB.

The only thing you need in order to authenticate at any given time is the hash of (hashed password + nonce). The latter you get for free, at any time, from the server, so you only need to know the hashed password -- not the password itself. Since the hashed password is directly stored in the DB, if you get your hands on that you can authenticate.

0 comments

SAI_Peregrinus5y ago

Right. My mistake. I should have thought it through more thoroughly before posting. Hopefully my comment doesn't mislead anyone, I'll try to do better in the future.

j / k navigate · click thread line to collapse

0 comments

SAI_Peregrinus5y ago

Right. My mistake. I should have thought it through more thoroughly before posting. Hopefully my comment doesn't mislead anyone, I'll try to do better in the future.

j / k navigate · click thread line to collapse