Re: New Input type proposal

Ben C wrote:
> 
> I was referring to the common practice of using one pet's name as a
> password.

Sorry, didnt notice the pun :).

> 
> Some point in that yes, but really users shouldn't use the same password
> for different sites, or at least, should use one password for
> low-security unim****tant sites and a different one for bank accounts.

I agree, but thats another point and they usually use the same password 
for different sites.

> 
> 
> How does munging alter that situation? If he can replay the first access
> (by getting hold of the hash used) then won't he just get his very own
> replaysalt in just the same way?
> 
> Can you describe an example, step-by-step, of a session in which the
> replaysalt provides some benefit that one-time session numbers don't?

1.) The user requests a site.
2.) The server sends the login form, issues a random replay salt and 
stores it in a session.
3.) The user enters the necessary information.
4.) The browser hashes the entered password and hashes the result once 
more with the replay salt.
5.) The server hashes the stored hash with the previously issued replay 
salt and compares the result to the given value.

Alexander