|
|
|
|
|
|
by krapp
2959 days ago
|
|
|
It would also be useful in finding hash collisions which would give an attacker access to a user's account without needing the actual password, which is made easier with the ability to study the client-side code doing the hashing, and taking note of the algorithm and methods used. Sending a password in plaintext over HTTPS is more secure than hashing it in javascript first and sending the hash. |
|
|
If it's practical to find a hash collision, your hash algorithm is broken.
> which is made easier with the ability to study the client-side code doing the hashing, and taking note of the algorithm and methods used.
The security of a system should not depend at all on that information being secret.