Which is a good case for client side hashing?

Which is a good case for client side hashing?

A good case for client-side hashing is the way some “password safes” work: they compute a site-specific password by hashing the user’s “master password” together with the site name. This gives most of the usability of always using the same password everywhere, while not actually giving your master password to dozens of distinct site.

Is there a hash client side password hashing Stack Exchange?

(Personally, I keep a file of passwords, and all my passwords are generated randomly.) A Google employee is working on something similar called TLS-OBC. This RFC draft allows the client to hash the password and bind it to a TLS session.

Why do we use slow hashes instead of fast hashes?

Password hashing helps prevent anyone except the user from learning the password. People reuse passwords and they are usually not very strong if memorised. That’s why we bother with slow hashes (Bcrypt, Scrypt, Argon2, etc.) instead of a fast hash: it protects the user’s password better, even though it does not have any benefit for the application.

What happens if everybody hashes the same password?

Which is evidenced by the fact that if everybody did the same client side hash thing, then the attacker would be able to reuse those hashes. Thus, if the user has different passwords for different services, you approach earns nothing. Addendum: What if you wanted to defend the user from the administrators?

Why is client-side hashing of a password so uncommon?

The reason that passwords are hashed is because the problem isn’t the authentication, but the storage. If the server is ever compromised, the attacker would immediately have access to all user accounts as they would now know the secret used for authentication of the users. Hashing acts as a barrier to this.

Which is more secure client side or server side?

We are debating which is more secure: hashing a password on the client side (via a javascript SHA-256 function) or hashing it on the server side. My point of view is that by hashing on the client side, the unencrypted password is never passed across the network.

What’s the point of hashing passwords for authentication?

The idea being that the hash is reproducible for authentication, yet hopefully not vulnerable to reverse-engineering attacks (to discover the literal password) other than brute force if the server data is compromised.