Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can supply just your password hash if you want, and if you supply the raw password, it's hashed client-side via Javascript before being sent to the server. Test it out with firebug and a dummy password if you're not keen on wading through the source.


Still, hashes can be cracked, and an evil password-checking website can then associate the password with all of the other personally-identifiable data that browsers are known to leak. I don't think this particular site is being evil, but it would be wrong for a user to trust a site like this.


Again, you can check the source. It's a single page for a reason ;-). There's no trickery hidden in there.


Maybe no trickery hidden in there now, but that could change any time. Or sometimes. Or depending on IP, browser or OS.


And even if there's no "trickery" from the hosting site, they're slurping in javascript from a 3rd party down the bottom (getclicky). That means they (or anybody who compromises them) could grab the cleartext passwords from the form before the inline javascript does it's sha1 hashing…


I mean server-side (can we check the source for that?). The server could crack the hash, and the server could use various pieces of data (ip address, http headers, etc) to try to figure out more about the password's owner.


True, that's completely possible. However, if this concerns you then you should probably not sign up for any account on any site, since they could be doing the very same thing with your actual password.


Which is why you use different passwords on different sites.


What would be good is to have the 'checking request' return a json (or just a short info) and not a whole html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: