[whatwg] Hashing Passwords Client-side
jgraham at opera.com
Mon Jun 20 01:40:20 PDT 2011
On 06/17/2011 08:34 PM, Aryeh Gregor wrote:
> On Thu, Jun 16, 2011 at 5:39 PM, Daniel Cheng<dcheng at chromium.org> wrote:
>> A variation of this idea has been proposed in the past but was largely seen
>> as undesirable--see
>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-May/026254.html. In
>> general, I feel like the same objections are still true of this proposal.
> This proposal is considerably better formulated than that one was.
> But yes, in the end, the only real benefit is that the user can
> confirm that their original plaintext password can only be retrieved
> by brute-forcing the hash, which protects them only against reuse of
> the password on different sites. So on consideration, it will
> probably lead more to a false sense of security than an actual
> increase in security, yes. It no longer seems like a good idea to me.
FWIW I disagree. The same argument could be used against client-side
form validation since some authors might stop doing proper server-side
validation. But, as in that case, there are definite end user benefits —
I consider limiting the scope of attacks to just a single site even in
the face of password reuse to be a substantial win — and the authors who
are most likely to get the server-side wrong are the same ones who are
already storing passwords in plain text.
More information about the whatwg