|
|
|
|
|
|
by FreakLegion
1360 days ago
|
|
|
You're not wrong. To clearly delineate the two possibilities: 1. Hashing client-side in addition to standard server-side handling (Have I Been Pwned passwords disallowed, good hash function, preferably memory-hard, salted, peppered for storage, etc.). In this case client-side hashing adds complexity but doesn't improve the security model at all, so we shouldn't do it. Which is why nobody does it. 2. Hashing client-side instead of standard server-side handling. In this case client-side hashing completely breaks the security model, since the hash is equivalent to a cleartext password, so we shouldn't do it. Besides random websites, this kind of mistake has actually been made at scale. See https://en.wikipedia.org/wiki/Pass_the_hash. In summary, basic client-side hashing either doesn't improve security or compromises it, and is therefore best avoided. |
|
|