On Tue, Jan 3, 2017, 22:02 Henry <henry.adisuma...@gmail.com> wrote: > Hi, > > Thanks for the replies. I deleted the original post because I managed to > figure out what to do. There was a bug that stumped me and I thought I was > doing things wrong. Once the bug was fixed, it works okay. The example > posted by Sebastien is very useful. Thanks! > > To answer edward's questions, I am building a multipage app. I use a > form-based authentication. I do not encrypt anything on the client side. I > assume anything on the client side can easily be compromised. Hence, any > encryption or hashing on the client side seems like a waste of effort for > little benefits.
While I agree that client-side hashing is overkill, I think the threat model it's intended to protect against is a compromised *server*, since this would prevent the server from ever seeing the plaintext password. In practice, I think most sites use TLS as you describe, and use bcrypt or similar on the server, along with rate limiting. This protects against everything except an advanced persistent threat (APT). Instead, I am relying on TLS. However, I encrypt any cookie stored on the > client with constantly changing password. It seems like an overkill > considering the cookies store only session ID and nothing else. > > I am curious what the industry best practice is. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Jonathan Yu / *@jawnsy* on LinkedIn <https://linkedin.com/in/jawnsy>, Twitter <https://twitter.com/jawnsy>, GitHub <https://github.com/jawnsy>, Facebook <https://facebook.com/jawnsy> *“Ever tried. Ever failed. No matter. Try again. Fail again. Fail better.”* — Samuel Beckett, Worstward Ho (1983) “In an adaptive environment, winning comes from adapting to change by continuously experimenting and identifying new options more quickly and economically than others. The classical strategist's mantra of sustainable competitive advantage becomes one of serial temporary advantage.” — Navigating the Dozens of Different Strategy Options <https://hbr.org/2015/06/navigating-the-dozens-of-different-strategy-options> (HBR) -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
