👨‍👩‍👧‍👦 Bret 🌲🚙 · Dec 11, 2020 · 3:28 AM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙

👨‍👩‍👧‍👦 Bret 🌲🚙 @bcomnes

11 Dec 2020

Has anyone tried a password auth system that standardizes on some front-end hashing strategy, so that the API never sees/touches the plain text version of the password?

Aaron Parecki · Dec 11, 2020 · 5:16 AM UTC

Aaron Parecki @aaronpk

11 Dec 2020

It's one of the oldest tricks in the books 🙃

👨‍👩‍👧‍👦 Bret 🌲🚙 · Dec 11, 2020 · 3:43 PM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙 @bcomnes

11 Dec 2020

I know bcrypt/hash+salt on server for storage has been best practice for ages. Or has client/browser side hashing before sending to a server been wide spread?

Aaron Parecki · Dec 11, 2020 · 3:57 PM UTC

Aaron Parecki · Dec 11, 2020 · 3:57 PM UTC

Aaron Parecki @aaronpk

11 Dec 2020

Replying to @bcomnes

It's part of the old-school HTTP Digest Auth en.wikipedia.org/wiki/Digest… It just doesn't really solve things the way you'd expect.

Digest access authentication - Wikipedia

en.wikipedia.org

Dec 11, 2020 · 3:57 PM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙 · Dec 11, 2020 · 4:06 PM UTC

👨‍👩‍👧‍👦 Bret 🌲🚙 @bcomnes

11 Dec 2020

Replying to @aaronpk

ah yeah @Johannes_Ernst mentioned that. Looks like a funky variant of basic auth. > doesn't really solve things the way you'd expect. Know of any writing on perspective on that? Curious what the issues were SRP looks like a promising approach. medium.com/swlh/what-is-secu…

What Is Secure Remote Password (SRP) Protocol and How to Use It?

“Password” this crazy piece of string worth a lot, get a lot of attention but yet very hard to process & hide. Even with the multi-factor…

medium.com