Secure Login without HTTPS
Still working on my secure login without HTTPs. My non-comprehensive list of desired qualities:
- Never send password in a reversible encoding.
- Try to avoid replay attacks and session hijacking.
- Protect against brute force attacks on intercepted data.
- Protect against browser plugins.
Progress is coming along nicely. The authentication and validation steps are working, which means I have a functioning system. Next I need to exercise it and make sure it works in practice.