I've certainly never encountered a web app that hashes locally before sending. I... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		matthewmacleod on May 19, 2017 \| parent \| context \| favorite \| on: Let them paste passwords I've certainly never encountered a web app that hashes locally before sending. I suppose it could work if this was at the account creation or password management stages, but you couldn't implement it at the login stage for obvious reasons. I'm having trouble imagining what scenario client-side hashing would protect against.

consp on May 19, 2017 [–]

Man in the middle attacks fetching for plaintext passwords

-- edit: using a KDF would improve it even more.

anonymouz on May 19, 2017 | | [–]

If the client only sends the hash to the server, a MitM also only needs to capture the hash.

croon on May 19, 2017 | | [–]

Sure, but if they've MITM:ed your trusted certs, aren't you already boned in so many ways?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact