mxstbr
commented
7 years ago Imagine there's a MITM attack, and somebody intercepts a users traffic. What happens with password hashing is that they see the hashed password, and have full access to the account because they can spoof the request etc.
If you don't hash the passwords, they see the plaintext password. That (for a large percentage of users) means that they can log into any account of that person! Much worse.
It's just a nice thing to do I though :blush:
Out of curiosity - why is the password hashing done on the client?