Posted 13 November 2012 - 10:53
Another "maybe I am dumb" question here..
Isn't it the case that when you create a password, that it would be transmitted unhashed anyway? (plaintext - over SSL of course!) So the server receives it as plaintext and can easily do text comparison to a list of unsecure passwords?
Then when it saves it, it would salt+hash the password. When you login, it would do the same thing - transmit plaintext, then the server hashes it and compares it with the stored hash?