Comment by dspillett

Comment by dspillett 6 months ago

2 replies

View on Hacker News

Not if the check is done client-side, so the plain password never leaves you local domain. Of course the check being done client-side means that it isn't difficult to skip if you are inclined to make a smidgin of effort.

thih9 6 months ago

It can be done server side too, the old password can be sent along the new one and the server can verify it.

Reply View 1 reply
  • dspillett 6 months ago

    Yes, what I meant to say that it doesn't even have to be done server-side, so the fact it happens doesn't imply the server ever sees the old password beyond it's initial setting.

    Reply View 0 replies