|
|
|
|
|
|
by krapp
2967 days ago
|
|
|
>That means the hashing needs to be done client side, probably with JavaScript. Is there any safe way to do that? No [0,1...n]. Note that these articles are about encryption, but the arguments against javascript encryption apply to hashing as well. Also consider that no one logs this stuff accidentally to begin with. If the entity controlling the server and writing the code wants to log the passwords, they can rewrite their own javascript just as well as they can whatever is on the backend. There's nothing to be done about people undermining their own code. [0]https://www.nccgroup.trust/us/about-us/newsroom-and-events/b... [1]https://tonyarcieri.com/whats-wrong-with-webcrypto |
|
|
It's possible. You create an object called Foo (possibly a serialized data like a protobuf, but any object), and you recursively dump the whole thing to the debug log. Then you realize, oh, when I access a Foo, sometimes I need this one field out of the User object (like their first name), so I'll just add a copy of User within Foo. You don't consider that the User object also contains the password as one of its members. Boom, you are now accidentally logging passwords.