Good catch, I'll take that out right now thanks.

Edit: fixed. If anybody thinks of anything else, please let me know. This is as much of a learning exercise as anything for me.

This whole thread is like a textbook example of why people like me (breakers) have itchy trigger fingers when it comes to people building cryptography features.

I'm glad if this has been a good learning experience for you (may I suggest another?†), but real secure systems aren't, to steal a phrase from Richard Stallman, "debugged into existence": they start from a foundation of a secure, well-considered design and are verified piece by piece as the system is assembled.

† http://www.matasano.com/articles/crypto-challenges

I didn't know about those, they look very cool. Thanks for the link.

(His company produced the challenges also, for what it's worth.)

The password is sent in plaintext in the POST body.

Indeed, that one is listed in the known vulnerabilities section of the repo. Thank you for trying it out

Thanks for making it! Computer security is a fascinating field that I've only begun to dive into recently.