HTML meet type="pSecure"

To summarize a prior discussion:<p>First, read: <a href="http://codahale.com/how-to-safely-store-a-password/" rel="nofollow">http://codahale.com/how-to-safely-store-a-password/</a><p>Next, note that rainbow tables don't enter into the Gawker break; Gawker used DES crypt(3) passwords, which can't readily be "rainbow tabled".<p>Finally, note that if you're going to advocate for a browser authentication change, there are cryptographically sound protocols that have been studied for over a decade that fit the bill far better than half-measures that do nothing but break "rainbow tables". A good one to start reading up on is SRP.

If we take encrypt to mean hash (which is probably what the implementation would most likely mean), this still has the same problem that server-side hashing does. Hashing is fast, GPUs can burn through creating rainbow tables at incredible speed (see <a href="http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/" rel="nofollow">http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-am...</a> ). Now if it's talking about implementing bcrypt (<a href="http://codahale.com/how-to-safely-store-a-password/" rel="nofollow">http://codahale.com/how-to-safely-store-a-password/</a>) in the browser that would be a real solution, but them the problem becomes adoption (at which point, you basically need to implement it on the server anyways). Plus, users would need to be signaled that this was a safe password box, vs. an unsafe one (which could easily be spoofed by malicious sites).

<i>It would require nothing more then the browsers to implement it in the same way</i><p>Oh dear. That'll never happen (examples: CSS, Html5 video, Javascript), which means this idea is dead in the water.

Previous discussion (for the article this one is a response to): <a href="http://news.ycombinator.com/item?id=2000833" rel="nofollow">http://news.ycombinator.com/item?id=2000833</a>

I think this should be server side....