Cybersecurity - Memes

2678 readers

1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago

MODERATORS

[email protected]

565

Uh oh, somebody's not following best practices, that's a paddlin (lemmy.world)

submitted 1 week ago by [email protected] to c/[email protected]

103 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 1 week ago (1 children)

Yeah the password is usually sent, not in plaintext because you do it on a TLS connection. You can't do the hashing clientside and send the hash anyway because the value needs to be salted and you'd also be exposing your algorithm choice and other details, or you'd have to do further processing server-side where you could conceal the details in which case I don't really get what sending the hash gets you because you'd have to do it again.

People seem to constantly forget in web programming that you can obfuscate the client code, but you can't actually hide it or rely on it solely for validation. The client isn't something you control. They can very easily bypass any validation you put in that layer.

[–] [email protected] 2 points 1 week ago (1 children)

What is salting in this context?

[–] [email protected] 4 points 1 week ago (1 children)

Using only hashes makes it possible to use what's called a rainbow table (essentially a database of common passwords hashed related to their plain-text values) to crack the hashed passwords if they're somehow retrieved from the database. A salt is a separate value, usually unique to each user, that is appended or prepended to the password prior to hashing it. That makes it much harder to crack the password, even if you have the hash in hand.

[–] [email protected] 4 points 1 week ago (1 children)

Ah, makes sense. You are an excellent communicator, I really appreciate it.

[–] [email protected] 3 points 1 week ago

Anytime, and I appreciate the compliment so thanks!