W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2011

[whatwg] Hashing Passwords Client-side

From: James Graham <jgraham@opera.com>
Date: Mon, 20 Jun 2011 10:40:20 +0200
Message-ID: <4DFF0774.7080200@opera.com>
On 06/17/2011 08:34 PM, Aryeh Gregor wrote:
> On Thu, Jun 16, 2011 at 5:39 PM, Daniel Cheng<dcheng at chromium.org>  wrote:
>> A variation of this idea has been proposed in the past but was largely seen
>> as undesirable--see
>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-May/026254.html. In
>> general, I feel like the same objections are still true of this proposal.
>
> This proposal is considerably better formulated than that one was.
> But yes, in the end, the only real benefit is that the user can
> confirm that their original plaintext password can only be retrieved
> by brute-forcing the hash, which protects them only against reuse of
> the password on different sites.  So on consideration, it will
> probably lead more to a false sense of security than an actual
> increase in security, yes.  It no longer seems like a good idea to me.

FWIW I disagree. The same argument could be used against client-side 
form validation since some authors might stop doing proper server-side 
validation. But, as in that case, there are definite end user benefits ? 
I consider limiting the scope of attacks to just a single site even in 
the face of password reuse to be a substantial win ? and the authors who 
are most likely to get the server-side wrong are the same ones who are 
already storing passwords in plain text.
Received on Monday, 20 June 2011 01:40:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:06 UTC