Timeline for Does client side hashing add any benefit here?
Current License: CC BY-SA 3.0
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 27, 2021 at 9:30 | comment | added | Leszek Szary | "The only advantage you have in this scheme is that the server is never aware of the user's cleartext password, not even in memory." - I think this is actually a huge advantage so best to hash on both client and server side especially in case of a mobile app. | |
| Jan 26, 2018 at 14:36 | comment | added | Philipp | @forest When you have a good example for such a dedicated protocol, then you might want to explain it in a separate answer. Btw: The question says this is about an Android/iPhone app, not a web application. | |
| Jan 26, 2018 at 14:30 | comment | added | forest | Not just little gain, but potential risk. The extra complexity in JavaScript means that users who do not have JavaScript enabled will be unable to log in. Users with very old computers may be forced to wait a long time for the password to submit. When the password absolutely must not be known by the server, there are other dedicated protocols that would be better than a homebrew "hash the hash" setup. | |
| Jan 26, 2018 at 10:49 | vote | accept | Lukas Knuth | ||
| Jan 26, 2018 at 10:48 | comment | added | Lukas Knuth | Sounds like very little gain for the additional complexity. I think I'm going to stick with just HTTPS. Thanks! | |
| Jan 26, 2018 at 10:30 | history | edited | Philipp | CC BY-SA 3.0 |
added 17 characters in body
|
| Jan 26, 2018 at 10:22 | history | edited | Philipp | CC BY-SA 3.0 |
added 5 characters in body
|
| Jan 26, 2018 at 10:17 | comment | added | Philipp | @LukasKnuth The server would store hashes of hashes. I edited the answer to make that clear. | |
| Jan 26, 2018 at 10:16 | history | edited | Philipp | CC BY-SA 3.0 |
added 121 characters in body
|
| Jan 26, 2018 at 10:15 | comment | added | Lukas Knuth | Your first point would only be the case if the hash that I store in the DB would equal the hash that is generated on the client side. Is there no way to have some sort of derived keys that work for comparing but aren't actually the same? | |
| Jan 26, 2018 at 10:12 | history | answered | Philipp | CC BY-SA 3.0 |