0

Does hashing once on clientside and once on server-side increase security when dealing with an untrustworthy server? For example when dealing with open source projects where users can self-host their version of the service. My thought process behind this:

  1. When only hashing clientside it's essentially sending plain passwords but with the benefit of the server not knowing the actual password which could help against a malicious server owner brute-forcing these passwords on other services (e.g Netflix) to get access to his users' accounts.
  2. Hashing only serverside has the disadvantage stated above
  3. So why not combine both?

Is there something I am missing? Does this increase security in any way?

schroeder
  • 125,553
  • 55
  • 289
  • 326
xrv0
  • 1
  • Your threat model assumes that passwords are reused in other places. Are you doing this for yourself or others of the Public? – schroeder Mar 19 '20 at 18:14
  • These will be relevant: https://security.stackexchange.com/questions/31920/client-side-hashing-to-decrease-value-of-password-guessing-heuristics?rq=1 and https://security.stackexchange.com/questions/17129/challenging-challenge-client-side-password-hashing-and-server-side-password-ver?rq=1 and https://security.stackexchange.com/questions/23006/client-side-password-hashing?rq=1 – schroeder Mar 19 '20 at 18:16
  • The answer in the duplicate is what you are looking for. Searching here for "client-side hashing" will return years of discussion on this. – schroeder Mar 19 '20 at 18:18
  • The links that @Schroeder posted should answer your question. What you might want to consider, instead of client-side hashing, is PAKE or SRP. With these protocols, the client and the server mutually authenticate each other, without either disclosing any information that could be used by an active or passive attacker. – mti2935 Mar 19 '20 at 20:36

0 Answers0