Originally Posted by Old Pedant
And I see nothing that says it is bad to remember *HASHED* passwords on a server. (Presumably we are talking about a "one-way" hash, meaning that a password can never be recovered, only tested.)
Hopefully others here will chime in.
there's plenty wrong with storing MD5'd passwords on a cheap server. yes, it's one way, but that doesn't mean much if it's fast....
MD5 is super fast to generate, so once a hacker dumps and drops your mysql tables, he runs brute-force password generators, MD5's each result, and looks for matches on your DB's user table.
if fredbob1234 has an account and the password is brtueforced to "mayday1920", and they know from a previous corporate server compromise that chase has a user named "fredbob1234", and given that people are lazy, there's a decent chance that the chase account password will be a derivative of the "mayday1920" password on the just-hacked mom and pop site; perhaps "Mayday1920", "mayday1920chase" or "mayday1920!"...
openauth2 is pretty easy to integrate, and i trust its security mechanism of using location.hash to not leave behind any tokens on regular http pages or server logs.
BROWSER STATS [% share]
(2013/10/31) IE7:0.5, IE8:8.6, IE9:5.3, IE10:12.3, FF:17.7, CH:41.8, SF:8.1, MOBILE:20.4