Closed mxstbr closed 8 years ago
Encryption on the client is not secure, isn't it? I think server must be available only through SSL and that's enough.
The best way is to encrypt on both the client and the server, so the network and server have no idea of the plaintext password/usernames. Avoids MITM in the local WiFi etc.
I'm not an expert in security, but what about next example?
One profit is hacker not to know about original password, yes?
Yes exactly, while the hacker can still replay the request, he doesn't have the plaintext password. This means we potentially save the user, who is highly likely using the same password across a number of services, from complete ownage.
Thank you for explanation. What secure methods to one-way encryption on client-side?
Ok 👍
By the way, I'd love a PR for this.
Yeah, I worked on this today for my app, and do this for your project. Check this https://github.com/mxstbr/login-flow/pull/7
@mxstbr Doesn't https protect against a man in the middle attack? (Such as someone in the local wifi network like you mentioned)
@mxstbr Doesn't https protect against a man in the middle attack? (Such as someone in the local wifi network like you mentioned)
This is true, this aproach currently is over engineeringwith client security
Jun 2024, I received this question when I joined the interview. I think this approach is over-engineering also. Instead, you can consider logging in with SSO via Google, Github,...
Security reasons