2

I've been reading about hashing and encryption so I can make more informed decisions.

I already know the benefits of ssl and password hashing serverside as best practises. However I was wondering, as a platform holder, whether it would be better for my users for them never to have sent my server their passwords in their original form. I.e type password, hash on client, send over ssl, hash with salt to database... rehash on client and server and compare on login.

Would this enable a service to claim to never having had a users password at all in a way?

UPDATE This was marked as duplicate, but my question is concernd with protecting the password from the service itself, not any man in the middle attack. With SSL or plain text to the server, the server gets the password. Is there a way of sending a password / or loggin without the server knowing the password. hope that makes sense :)

benbyford
  • 211
  • 2
  • 7
  • Wouldn't the new hash sort of work as a password in this scheme? – Limit Dec 18 '16 at 01:18
  • What if an adversary simply stores the hash and uses it for the next time? – Limit Dec 18 '16 at 01:19
  • 1
    While it may not provide any additional security for a single service, I think it would effectively prevent password re-use, providing no other service created the client side hash using the same parameters. – Jens Ehrich Dec 18 '16 at 04:56
  • @Limit indeed, my point is, is there a way of sending a password to the server that still protects the password. I.e. if the application is compremised, the app would only get the hash not the plain text password – benbyford Dec 30 '16 at 09:48
  • After searching similar questions, I was thinking to ask a similar question but I found this question. The fact that this question marked as duplicate seems really weird to me because pointed question does not answer this one. Maybe this question would be more appropriate for making this duplicate [Benefits to client-side password hashing on top of other security mechanisms](https://security.stackexchange.com/questions/174899/benefits-to-client-side-password-hashing-on-top-of-other-security-mechanisms?rq=1) – unlut Apr 14 '19 at 18:52

1 Answers1

0

Your proposed scheme "works", but it achieves nothing. If a cracker obtains your database, they will still be able to guess-and-check potential passwords for users. The salt used when you hash on the client side has to be the same each time (otherwise the same user wouldn't be able to log in again with the same password).

DepressedDaniel
  • 1,240
  • 6
  • 8