|
|
|
|
|
|
by 8organicbits
1637 days ago
|
|
|
If we add client side hashing, it does nothing to prevent hash replay attacks. Agreed. However, it prevents the attacker from immediately trying the same raw password on other sites (i.e. credential stuffing). They would need to perform additional offline attack of the first hash. This adds cost to something that would have previously been trivial. Given that about 65% of users reuse passwords and 76% don't even use a password manager [1], I think that slowing down credential stuffing attacks is important. Protecting against some attacks is valuable even if you don't protect against all attacks. Layered security. 1. https://services.google.com/fh/files/blogs/google_security_i... |
|
|