password hashing should be refactored to the frontend, therefore sending the hash to the backend rather than the password

Jayd-H / UniSphere

UniSphere webapp for DDD course

https://unispher-e.vercel.app

1 stars 0 forks source link

password hashing should be refactored to the frontend, therefore sending the hash to the backend rather than the password #135

Open Jayd-H opened 5 months ago

Jayd-H commented 5 months ago

this is so we are not susceptible to interception of the plain text password whilst sending it from both the register and login page

BallerHat commented 5 months ago

I'm not sure this is a good idea as the hash could still be intercepted and used to login in a replay attack. The best defence against this sort of thing, without then creating more problems, would be to use SSL. But in the absence of that I could implement a HMAC like system.

Lmk which one you'd prefer?

Jayd-H commented 5 months ago

yeah you are right, i had a lot of trouble using ssl with the azure database thats why i disabled it all, implementing hmac seems interesting though. then again, realistically this is a none issue for our use case so if it will take you a long while just leave it honestly. I know other groups have not even implemented any form of password hashing at all lol.