Timeline for Why is client-side hashing of a password so uncommon?
Current License: CC BY-SA 3.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 18, 2021 at 15:53 | review | Low quality posts | |||
| Apr 18, 2021 at 17:01 | |||||
| May 8, 2017 at 2:39 | review | Suggested edits | |||
| May 8, 2017 at 6:42 | |||||
| Mar 18, 2014 at 14:33 | comment | added | Gumbo | A server with all its user data is a way more valuable target than one single user. | |
| Mar 18, 2014 at 11:20 | comment | added | CodesInChaos | The way twitter works is that you follow people whose tweets you find interesting. No need to ask for permission. | |
| Mar 18, 2014 at 11:05 | comment | added | CodesInChaos | The "server is more secure" argument makes little sense in this context. 1) The client knows the plaintext password, so a trojan can trivially steal it with a key-logger. 2) Password hashing only offers an advantage over plaintext passwords when the server gets hacked and the database gets stolen. | |
| Mar 18, 2014 at 11:03 | comment | added | CodesInChaos | We generally frown on secret algorithm (See Kerckhoffs's principle and security-through-obscurity. Password hashing certainly doesn't need to rely on this. At most we apply a key and hope that the attacker doesn't find even if they manage to steal the database. | |
| Mar 18, 2014 at 11:01 | review | First posts | |||
| Mar 18, 2014 at 11:24 | |||||
| Mar 18, 2014 at 10:42 | history | answered | Li Billy | CC BY-SA 3.0 |