4 comments

[ 2.6 ms ] story [ 19.6 ms ] thread
Of course, dealing with passwords properly on the server is only one side of the story.

If the connection between client and server is not secure, then an attacker could intercept a user's password as it travels in plaintext from client to server. And if a user's login persists by the use of a cookie, an attacker could impersonate a logged-in user by using their cookie, after intercepting it as it is sent in plaintext in every request from client to server.

Correct, I felt that those were outside of the scope of the post though. However, as I think about it more they seem fit better and better.