|
Title: Inputs.io Security [Solved] Post by: nimda on July 02, 2013, 03:25:30 PM Quote Passwords hashed with SHA256 before sent to the server - we never know your password This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.Title: Re: Inputs.io Security Post by: tom1 on July 02, 2013, 04:05:11 PM I'm wondering why there isn't an official thread about Inputs.io?
Title: Re: Inputs.io Security Post by: escrow.ms on July 02, 2013, 04:07:10 PM I'm wondering why there isn't an official thread about Inputs.io? Because it's in beta aka testing stage. Title: Re: Inputs.io Security Post by: tom1 on July 02, 2013, 04:29:01 PM I'm wondering why there isn't an official thread about Inputs.io? Because it's in beta aka testing stage. Title: Re: Inputs.io Security Post by: paroxsitic on July 04, 2013, 03:33:08 PM I have confirmed via HTTP recording they do send just a SHA256 hashed password over the network (with no salt). It would indeed be more secure to salt your pin code you entered in a way that would not be obvious to someone who was sniffing around.
None the less, hashing a password before it's sent in a POST is more secure most non-financial sites. I can only hope they do some sort of unique salt when storing the password to their database. Title: Re: Inputs.io Security Post by: MPOE-PR on July 04, 2013, 11:41:14 PM Quote Passwords hashed with SHA256 before sent to the server - we never know your password This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.There's no real reason to suspect they aren't taking the hash of the hash is there? Title: Re: Inputs.io Security Post by: 🏰 TradeFortress 🏰 on July 04, 2013, 11:57:20 PM Quote Passwords hashed with SHA256 before sent to the server - we never know your password This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.There's no real reason to suspect they aren't taking the hash of the hash is there? This. We use bcrypt on the server side, with a user unique salt. Title: Re: Inputs.io Security Post by: nimda on July 05, 2013, 09:03:19 PM Quote Passwords hashed with SHA256 before sent to the server - we never know your password This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.There's no real reason to suspect they aren't taking the hash of the hash is there? We use bcrypt on the server side, with a user unique salt. That's good, thanks. I'll lock the topic. |