The attacker would then intercept that scrypt hash sent from the client and use ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		joesb on April 2, 2015 \| parent \| context \| favorite \| on: Enough with the Salts: Updates on Secure Password ... The attacker would then intercept that scrypt hash sent from the client and use it to authenticate.

timeal on April 3, 2015 [–]

You can't. The scrypt hash should be protected by HTTPS the same way a website password is protected by HTTPS.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact