2

I want to know if it ever makes sense to hash a password client side and rehash it again on the back end. I've not seen this done before which makes me suspicious as to whether it really does add security. Here are the threats I'm considering:

  1. The server operator could be evil and watches incoming plaintext passwords. If the incoming passwords are used elsewhere the evil operator gains an advantage against the user. Let's assume the user is able to verify how passwords are being sent from the client - so the evil server can't easily backdoor the client login.
  2. The client side hashing algorithm is implemented poorly. Perhaps we have a open api and a developer implements a bad hashing implementation or the iterations is set rather low for performance reasons. The server is hacked and the insecure hashes are leaked.

Potential implementation:

  1. Client requests from server a user's publicly known alg/salt/iteration. Without this we can't ever "upgrade" the password hash.
  2. Client hashes the password and sends an authentication request
  3. Server accepts the hash. Hashes it again the same way it would hash any plaintext password. Checks if the hashes match.

Use cases:

  • Providing trust to users.
  • Services that encrypt all data client side and wish to claim client data is not accessible to operator. (Password managers, file sync services, email providers, ect)
  • Defending against future possibilities such as government intervention or blackmail. This is only helpful against knowing passwords as they come in and hoping the user reuses passwords.
Bufke
  • 173
  • 5
  • in your scheme, the client-side hashed password becomes the password – schroeder Feb 15 '16 at 20:24
  • the answers to this question might address yours: http://security.stackexchange.com/questions/8596/https-security-should-password-be-hashed-server-side-or-client-side?rq=1 – schroeder Feb 15 '16 at 20:26
  • Possible duplicate is about a different threat (man in the middle) from what I'm considering. Thanks for the response and links though. They are tangentially helpful. I'd still be interested in what people think of this specific question. The answers there don't address a threat of a evil server operator. – Bufke Feb 15 '16 at 20:45
  • 2
    An evil server operator has access to everything, and it's *their* service you are connecting to. I'm unsure of a way to protect a user's password from your own influence. – schroeder Feb 15 '16 at 21:02
  • 1
    You should read about [pass the hash](https://en.wikipedia.org/wiki/Pass_the_hash). – Neil Smithline Feb 15 '16 at 22:59
  • 1
    I found this blog post from Tutanota that I think is a good answer. https://tutanota.com/blog/old-blog/bA7ez.html it's German but easy to translate and the image is pretty clear. I don't agree that those questions are duplicates. I'd suggest someone with more privilege to add the blog link as an answer or explain if they think Tutanota is wrong on the subject. – Bufke Feb 16 '16 at 16:50

0 Answers0