note
haukex
<p>Thank you for the thoughtful reply!</p>
<blockquote><i>You don't want to expose the salt to the client - but without salt hashing doesn't give better security.</i></blockquote>
<p>Yes, I should have been more clear on this - I would take a hash of only the password on the client side, say SHA-512 multiple times, and <i>additionally</i> do the same hashing+salt on the server. That way, the cleartext password is never seen by the server, and provided the hash isn't in a rainbow table somewhere, it adds a tiny bit more security.</p>
<p>All of your points are excellent, and yes, I see that perhaps a per-IP delay or lockout on too many attempts might even be better than the current implementation (in Mojo: <c>$c->tx->remote_address</c>). Even though I agree logging is very important, did leave it out of this example... but luckily Mojo makes it fairly easy to add: <c>app->log->warn("...")</c>, <c>app->log->error("...")</c> and so on, and it can be redirected into a database as well via the event mechanism built into [mod://Mojo::Log].</p>
11114542
11114545