0

I'm trying to wrap my head around authentication/authorization process within web-app that encrypt data on the client-side and I'm getting very confused about it. Hopefully, you could clarify it to me.

Where should encryption of the password happen, on the client side or server side? If indeed on the client side, then please, by all means, explain to me why... because if the network layer is compromised, potential hacker will get the encrypted password as it is(encrypted, yes) and because on the server the only thing that is done is comparing the encrypted password(encrypted on the client) with the one that is stored in the DB, it's going to be actually less secured.

What am I getting wrong here, please?

markfetto
  • 1
  • 3
    You shouldn’t encrypt passwords at all, you should hash them. That’s not the same thing. – Mike Scott Mar 28 '21 at 17:20
  • There are many similar questions already on this site, like [https security - should password be hashed server-side or client-side?](https://security.stackexchange.com/questions/8596/), [Why is client-side hashing of a password so uncommon?](https://security.stackexchange.com/questions/53594/) and [more](https://www.google.com/search?q=site%3Asecurity.stackexchange.com+client+side+password+hashing+vs.+server+side). I think several of these can be regarded as duplicate to yours, so please study these instead of expecting a answer here. – Steffen Ullrich Mar 28 '21 at 17:25
  • @MikeScott thanks for correcting me on this one, I know it. – markfetto Mar 28 '21 at 17:35
  • @SteffenUllrich Thanks a lot, that's what I was looking for – markfetto Mar 28 '21 at 17:35

0 Answers0