👨‍👩‍👧‍👦 Bret 🌲🚙 · Dec 11, 2020 · 3:28 AM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙

👨‍👩‍👧‍👦 Bret 🌲🚙 @bcomnes

11 Dec 2020

Has anyone tried a password auth system that standardizes on some front-end hashing strategy, so that the API never sees/touches the plain text version of the password?

Aaron Parecki · Dec 11, 2020 · 5:16 AM UTC

Aaron Parecki · Dec 11, 2020 · 5:16 AM UTC

Aaron Parecki @aaronpk

11 Dec 2020

Replying to @bcomnes

It's one of the oldest tricks in the books 🙃

Dec 11, 2020 · 5:16 AM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙 · Dec 11, 2020 · 3:43 PM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙 @bcomnes

11 Dec 2020

Replying to @aaronpk

I know bcrypt/hash+salt on server for storage has been best practice for ages. Or has client/browser side hashing before sending to a server been wide spread?

Aaron Parecki · Dec 11, 2020 · 3:57 PM UTC

Aaron Parecki @aaronpk

11 Dec 2020

It's part of the old-school HTTP Digest Auth en.wikipedia.org/wiki/Digest… It just doesn't really solve things the way you'd expect.

Digest access authentication - Wikipedia

en.wikipedia.org

more replies