Author

Topic: Inputs.io Security [Solved] (Read 902 times)

hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
July 05, 2013, 04:03:19 PM
#8
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.

There's no real reason to suspect they aren't taking the hash of the hash is there?
The phrasing of the FAQ had me worried.
We use bcrypt on the server side, with a user unique salt.
That's good, thanks. I'll lock the topic.
vip
Activity: 1316
Merit: 1043
👻
July 04, 2013, 06:57:20 PM
#7
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.

There's no real reason to suspect they aren't taking the hash of the hash is there?

This.

We use bcrypt on the server side, with a user unique salt.
hero member
Activity: 756
Merit: 522
July 04, 2013, 06:41:14 PM
#6
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.

There's no real reason to suspect they aren't taking the hash of the hash is there?
newbie
Activity: 37
Merit: 0
July 04, 2013, 10:33:08 AM
#5
I have confirmed via HTTP recording they do send just a SHA256 hashed password over the network (with no salt). It would indeed be more secure to salt your pin code you entered in a way that would not be obvious to someone who was sniffing around.

None the less, hashing a password before it's sent in a POST is more secure most non-financial sites.

I can only hope they do some sort of unique salt when storing the password to their database.
full member
Activity: 130
Merit: 100
July 02, 2013, 11:29:01 AM
#4
I'm wondering why there isn't an official thread about Inputs.io?

Because it's in beta aka testing stage.
Hmm, it looks like it was released today: https://inputs.io/news#n-2
legendary
Activity: 1274
Merit: 1004
July 02, 2013, 11:07:10 AM
#3
I'm wondering why there isn't an official thread about Inputs.io?

Because it's in beta aka testing stage.
full member
Activity: 130
Merit: 100
July 02, 2013, 11:05:11 AM
#2
I'm wondering why there isn't an official thread about Inputs.io?
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
July 02, 2013, 10:25:30 AM
#1
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.
Jump to: