|
It has also been suggested, in effect, that your code should be
saying
if encrypted_password == encrypt(post.password) then
You could also have cryptography at both ends:
1. Client sends a request to authenticate.
2. Server sends a message together with the request: calculate
encrypt(message,key) using your secret password as key,
and send me the result. While waiting for the response, server
does the same calculation.
3.Program does
if encryption == post.encryption then
This will mean that unencrypted passwords never physically
travel along the communications line.
Of course, your 'encrypt' function should not afford a way of
recovering a key from a plaintext/cyphertext pair.
Yes, yes, tools like openssl offer this service transparently, but
some people are paranoid.