From what I've seen... no. And not 'completely secure' or anything, just as secure/best-practices as HMAC passwords versus plaintext. But there's just basically no way to even remotely secure password-changes that I can find that won't hand the 'keys to the kingdom' to anyone that gets a copy of that one, single HTTP request to the server.
There's a couple of 'public key' based ideas, but they're flat-out not possible in JavaScript due to speed over-heads.
So... Internet Lunatics... anyone know of some research I missed somewhere to provide some cost-effective (in both runtime taken and actual data needed to be stored server-side) method to protect password changes?
There's a couple of 'public key' based ideas, but they're flat-out not possible in JavaScript due to speed over-heads.
So... Internet Lunatics... anyone know of some research I missed somewhere to provide some cost-effective (in both runtime taken and actual data needed to be stored server-side) method to protect password changes?