Hacker News new | past | comments | ask | show | jobs | submit login

notwithstanding all the other caveats mentioned here, wouldn't hashing on the client side make it possible to salt the hash so that different sites generate a different hash, thus making it unlikely that the hash can be reused even if the actual password is the same? the salt could even include a time component making the hash expire after a time.

this obviously does not eliminate the need for other security measures, so it's possibly more a question of "is it worth it?"




The server would need to hold the unsalted hash then. And if those leak, everything you need to calculate the client salt is right there.


The server should hold the unhashed salt, as is standard. One for client, one for server.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: