[whatwg] Hashing Passwords Client-side

James Graham jgraham at opera.com
Mon Jun 20 01:40:20 PDT 2011

On 06/17/2011 08:34 PM, Aryeh Gregor wrote:
> On Thu, Jun 16, 2011 at 5:39 PM, Daniel Cheng<dcheng at chromium.org>  wrote:
>> A variation of this idea has been proposed in the past but was largely seen
>> as undesirable--see
>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-May/026254.html. In
>> general, I feel like the same objections are still true of this proposal.
> This proposal is considerably better formulated than that one was.
> But yes, in the end, the only real benefit is that the user can
> confirm that their original plaintext password can only be retrieved
> by brute-forcing the hash, which protects them only against reuse of
> the password on different sites.  So on consideration, it will
> probably lead more to a false sense of security than an actual
> increase in security, yes.  It no longer seems like a good idea to me.

FWIW I disagree. The same argument could be used against client-side 
form validation since some authors might stop doing proper server-side 
validation. But, as in that case, there are definite end user benefits — 
I consider limiting the scope of attacks to just a single site even in 
the face of password reuse to be a substantial win — and the authors who 
are most likely to get the server-side wrong are the same ones who are 
already storing passwords in plain text.

More information about the whatwg mailing list