Open Jayd-H opened 5 months ago
I'm not sure this is a good idea as the hash could still be intercepted and used to login in a replay attack. The best defence against this sort of thing, without then creating more problems, would be to use SSL. But in the absence of that I could implement a HMAC like system.
Lmk which one you'd prefer?
yeah you are right, i had a lot of trouble using ssl with the azure database thats why i disabled it all, implementing hmac seems interesting though. then again, realistically this is a none issue for our use case so if it will take you a long while just leave it honestly. I know other groups have not even implemented any form of password hashing at all lol.
this is so we are not susceptible to interception of the plain text password whilst sending it from both the register and login page