LGF Login Notes 12 - Now with Extra Security
Yes, it’s another in the long-running series of updates and announcements about our new Ajax-driven login system.
The latest enhancement makes the system much more secure. Previously, your password was being transmitted in plain text when you clicked the log in button. (In fact, it’s been this way for years at LGF.) Theoretically, this means that if an attacker somehow managed to get in between our server and your computer, he/she/it could “sniff” your password and log in to your account.
In reality, this has never happened at LGF.
But this is a new security-conscious era, and to protect your password as well as possible, our Ajax login system now uses a tricky random seed-based double hashing method (to get all nerdy for a second) to completely eliminate sending your password in plain text. The random seed can only be used for one login and is then destroyed, so even if Joe Hacker manages to sniff your login information, it will be useless by the time he/she/it can do anything with it. (The method we use is similar to the one described here: Direct Login - Ajax Patterns.)