this post was submitted on 26 May 2025
565 points (96.2% liked)

Cybersecurity - Memes

2678 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
565
Uh oh, somebody's not following best practices, that's a paddlin (europe.pub)
submitted 1 week ago by cm0002@lemmy.world to c/cybersecuritymemes@lemmy.world
103 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] aesthelete@lemmy.world 2 points 1 week ago* (last edited 1 week ago) (1 children)

You could use logic to only send it after x amount of seconds without changes, waiting for the specified minimum length, etc.

With the right restrictions, it really wouldn't be that much different load profile wise to submitting it upon button press.

There's a high probability that it's sending the hash (or even the password ๐Ÿ˜ตโ€๐Ÿ’ซ) to the browser and comparing it though which is bad practice. Hell, just having a hash with no salt is bad practice, and sending the salt to the frontend as well would be even arguably worse.

[โ€“] Scubus@sh.itjust.works 1 points 1 week ago* (last edited 1 week ago) (1 children)

Not even remotely involved with opsec, but sending the password from the client to the server doesnt seem that crazy. It opens you up to people skimning your plaintext password if your connection is not secure, but by that same logic if your connection isnt secure then they can skim your hash. Unless the security on the site is good im sure there is a way to skip the encoding process and log in directly using the hash, so its a relatively small improvement to send the hash rather than plaintext, no? The much bigger issue would be if the server validated it as plaintext, because that would mean the server stores it as plaintext. But if the encoding is done server side, then that would make it significantly harder to crack the hash algorithm.

Im sure im making a mistake with my reasoning here, can you explain it to me?

Edit: ah, i see. I misread your comment.

[โ€“] aesthelete@lemmy.world 2 points 1 week ago (1 children)

Yeah the password is usually sent, not in plaintext because you do it on a TLS connection. You can't do the hashing clientside and send the hash anyway because the value needs to be salted and you'd also be exposing your algorithm choice and other details, or you'd have to do further processing server-side where you could conceal the details in which case I don't really get what sending the hash gets you because you'd have to do it again.

People seem to constantly forget in web programming that you can obfuscate the client code, but you can't actually hide it or rely on it solely for validation. The client isn't something you control. They can very easily bypass any validation you put in that layer.

[โ€“] Scubus@sh.itjust.works 2 points 1 week ago (1 children)

What is salting in this context?

[โ€“] aesthelete@lemmy.world 4 points 1 week ago (1 children)

Using only hashes makes it possible to use what's called a rainbow table (essentially a database of common passwords hashed related to their plain-text values) to crack the hashed passwords if they're somehow retrieved from the database. A salt is a separate value, usually unique to each user, that is appended or prepended to the password prior to hashing it. That makes it much harder to crack the password, even if you have the hash in hand.

[โ€“] Scubus@sh.itjust.works 4 points 1 week ago (1 children)

Ah, makes sense. You are an excellent communicator, I really appreciate it.

[โ€“] aesthelete@lemmy.world 3 points 1 week ago

Anytime, and I appreciate the compliment so thanks!