itrestian
commented
6 years ago The password is only sent to the Cognito service in sign up (over TLS). For sign in, the password is never sent in clear. This SDK uses the Secure Remote Password protocol to send a password verifier to the Cognito service.
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
I use cognito-identity-js sdk for one of my project. The whole website is deployed on S3. When user Sign Up or Sign In, they type in password. Do I need to secure the password or will cognito-identity-js sdk secure it? I can't find this information in any documentation. My concern is mainly for transition from client to server. I'm thinking of hash the password, using HTTPS and HSTS.