[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <39697022.20150424181258@gmail.com>
Date: Fri, 24 Apr 2015 18:12:58 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Client-side hashing (was side-channel stuff)
Sascha Schmidt (at Friday, April 24, 2015, 5:01:37 PM):
> Taking client-independent updates out of the equations seems reckless
> in most scenarios. You would basically put an expiration date on the
> password hashes.
expiration yes, but it is not reckless. it is merely an inconvenience.
and we are not talking about months here. we are talking about years.
so the downside is passwords will expire after a year or two, and the
user must proceed with the forgotten password routine. i don't think
it is that bad.
Powered by blists - more mailing lists