Linked Questions

In the design of a backend database, the password field suppose to be hashed using bcrypt. There are two approaches backend only: password = bcrypt(plain_passsword) frontend + backend = password = ...

This question asks whether one should hash on the client or the server. I want to know if there is any reason, aside from having to maybe handle one extra hashing library (if it's not already in your ...

A question I came up with while reading in my information security class. Let's say website ABC which uses username and password combinations to authenticate users and has a user John. When John goes ...

As title says, I was asked for my online banking password while on the process of getting in touch with a real person. This is something I'd never do and knowing that the call was being recorded (for ...

Edit: Updated to put more emphasis on the goal - peace of mind for the user, and not beefing up the security. After reading through a few discussions here about client side hashing of passwords, I'm ...

I'm working with some middleware that requires username/password authentication. The middleware uses MD5 hash for the password. The MD5 hash, of course, is not fit for the purpose of storing passwords....

I am in a bit of confusion as we have been asked to AES encrypt passwords before sending it to the server. The whole website communicates over HTTPS with the server and uses secure cookies. AFAIK, ...

Does larger hash size improve the security? Is it overkill to use a 512-bit hash? If I stored only 256 bits of the PBKDF2-SHA512 derived key, is it less, equal or safer than 256 bits of PBKDF2-SHA256? ...

When storing user's passwords that you need to verify against (but not use as plaintext) the current state of the art is: Hash the password Use a salt Use a slow hash function - bcrypt, scrypt, etc. ...

I was reading an answer by Terry Chia to another question about the requirements for a salt, in which he/she (among others) specified that salts need to be globally unique, but don't go into any ...

The oft-mentioned approach for website password-handling is to use a server-side language to employ a suitable hashing algorithm (stretched or otherwise designed to overly-consume computing resources),...

I am trying to figure out what would be the 'perfect' authentication system for a website. On one end, we know that simple hashing algorithms can be brute-forced or cracked in other ways. Hence why ...

I got into a discussion with one of our senior developers over password hashing/transmission best practices and it left me curious as to what the industry standard best practice is. In the previous/...

I'm using dcodeIO/bcrypt.js to hash user password on login before sending it to the server. On the server-side I then hash this again and compare with the doubly hashed stored password. The question: ...

Reading about hashing, salt and pepper, I can't get my head around the following scenario: If there's a web application and you register on that site, should the password be hashed on the client or ...