[skeeks]

And what if the server is compromised in the future? It is trivially to then extract all the cookies and send them to a attacker-controlled server. The attacker then uses those password to try to login on different platforms.

After initially setting a password, the database/server should only store a salted hash.

No exceptions.

[invokestatic]

Nothing stops a hacker from siphoning all the credentials from a login page either. Servers have to handle plaintext passwords regularly.

[djtriptych]

but only ever in memory. writing to disk is the issue here.

[icedchai]

Often, it is plaintext over the internal network. A TLS/SSL terminating load balancer decrypts the traffic, then your request is in clear text as it hits the internal web or app server. It can be sniffed and logged without modifying the application.

[UncleMeat]

But there is no evidence that they are writing the passwords to disk.

[lxgr]

They are writing the passwords to users' disks at least, which by itself is already really bad and easily avoidable.

[UncleMeat]

How is that bad?

If you've got malware on your machine then you are already fucked. Desktops don't tend to have strong process isolation that keeps malware from reading a password in flight anyway.

[djtriptych]

I'm talking about authenticating servers in general, not just lenovo.

[foobarbecue]

No. Servers should never see the actual password. What case are you imagining where they need to?

[coder543]

> Servers should never see the actual password.

Are you actually doing client-side hashing in addition to hashing on the server side? Otherwise, yes, the server does see the password. In most applications, a compromised server could just serve a login page that doesn't do the client-side hashing anymore if the malicious actor wanted to collect credentials, so I don't see how this added complexity is really adding any security.

The real way to add more security is to minimize dependence on passwords by implementing a better, second factor of authentication, such as TOTP, WebAuthn, SSO, or even SMS or email tokens. Unless a person is using a password manager to generate their passwords, then passwords are almost always terrible and weak, and usually reused across sites. More of my opinion is shared over here[0].

[0]: https://news.ycombinator.com/item?id=30559443

[CorrectHorseBat]

>In most applications, a compromised server could just serve a login page that doesn't do the client-side hashing anymore if the malicious actor wanted to collect credentials, so I don't see how this added complexity is really adding any security.

That takes much more time and requires the attacker to be able to, unnoticed, change the served data.

[coder543]

"Much" more time? Do you have any sources to back that up? Why is combining client-side and server-side hashing not commonly considered best practice if it's so great?

I don't agree at all. Login pages are static, since they don't need to be customized per user, because the users aren't logged in. Anyone could easily prepare a modified login page before compromising the underlying system, and swap it in immediately after compromise. The added implementation complexity for the original developer is simply security theater.

Client-side hashing of passwords is actually a dangerous thing to recommend, in my opinion, because a lot of developers would assume that it removes the need to also hash on the server-side. At which point, they would literally be storing the actual password in plaintext in their database, since the client-side hash is the password.

Client-side hashes also aren't going to have a per-user salt, which means that an attacker can just use a rainbow table to reverse the hash of most passwords... making it even less worthwhile. The attacker doesn't even need to change the served content, but they certainly can.

As I mentioned in my previous comment, and I will repeat it here, real benefit to authentication security only comes from adding 2FA or SSO. Don't waste your time on security theater.

[Dylan16807]

> As I mentioned in my previous comment, and I will repeat it here, real benefit to authentication security only comes from adding 2FA or SSO. Don't waste your time on security theater.

In theory there's also convincing browsers to implement a zero-knowledge protocol like SRP.

[born2discover]

I believe they are referencing the fact that upon a login attempt the server does receive a plaintext password per se.

Usually it is stored in memory only long enough to compare it to the hashed version from the persistence layer but... that's in theory.

[tuwtuwtuwtuw]

When it comes to memory then it will typically be stored longer than necessary due to how garbage collection works in 99% of all of web applications.

[hardware2win]

To generate tokens?

[megous]

If server is compromised, passwords are compromised too regardless if they are hashed or not.

I can selectively deauth a user to make them login again in short order and take his password.

It depends on the level of compromise, of course.

[Tepix]

If it's a short breakin where someone manages to dump the DB it makes a big difference.

Strong hashes are the way to go.

[BenjiWiebe]

Re deauthing. This sort of attack isn't nearly as useful if the server is something like a bank where most users only log in once in a while and don't access the account at all in between.