I think this vulnerability is specific to Oliver’s scheme, not Meteor. What Meteor does is hash the password on the client (not sure why, might as well send it in plaintext over SSL) and then hash and salt it on the server as well (which is good and right).
I think this vulnerability is specific to Oliver’s scheme, not Meteor. What Meteor does is hash the password on the client (not sure why, might as well send it in plaintext over SSL) and then hash and salt it on the server as well (which is good and right).
Yep, Meteor hashes twice. Not fully sure why. Probably to add an extra layer of security to non SSL connections.