Reputation: 779
Does it make sense to also hash password on frontend?
I'm aware passwords should be hashed/salted on backend and HTTPS should be used for transportation. My concern is that, on account registration, there is a section of code where the plain text password could exposed by way of a poorly placed log-statement.
I understand hashing passwords multiple times is not ideal, but to address this concern would it be acceptable (from a security governance perspective) to also hash the password on the frontend?
Upvotes: 5
Views: 5122
Answers (2)
Reputation: 564
Yes, you should hash your password on frontend with a salt (e.g username) to prevent clear text abuse on backend. Also, slow hash should happen on frontend to migrate the computing burden of backend.
You may combine salt and pepper on backend for the secondary hash.
Upvotes: 3
Reputation: 3475
No, as password hashing should use salt and a suitable (slow) hashing algorithm, implementing this correctly and in the future double hash all passwords would require a lot more work than masking the password in the log.
If you use an unsalted hash with a fast hashing algorithm many passwords can be quickly broken using modern hash cracking equipment.
Also see Does it make security sense to hash password on client end
Upvotes: 1
Related Questions
- How can I programatically get the version of a NuGet package being used in the solution?
- How to retrieve the assembly version of System.ValueTuple?
- How to get nuget package metadata via the API?
- Read a nuget package library version in the target assembly when installed
- Nuget/Dotnet package manager - how can I retrieve $(<SomeVariable>)
- Read metadata from nupkg
- nuget retrieving package metadata
- Retrieving the nupkg version number in msbuild
- Pickup NuGet package version from the packed assembly version
- Resolve project assembly references from nuget packages?