I just found this article in which Paul talks about hashing passwords: https://blog.xojo.com/2015/10/09/tips-dealing-with-the-problem-of-passwords/
It’s critical message is:
I agree with that. In fact, I am worried about implementing this. Because, despite the fact that the blog article is tagged with the “Web” keyword, it does not address the problem with using this in a Web project:
In a Web project, the password needs to be hashed BEFORE it gets sent over the network to the Xojo app! Otherwise, the password, if not using SSL, could be easily compromized. And even with https it still violates the quoted rule, because now, the app knows the password, at least temporarily, although it should not need to. I.e, if the server got hacked, someone could then log every password that’s sent to the app.
Has someone solved this already?