Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm curious if anyone has details on using bcrypt/scrypt at scale. Specifically one way I could see this happening is something like login requests go to a load balancer that puts the requests on a queue to be picked up and validated by some hasher service, and the queue ends up writing the requests to logs to recover from certain kinds of failures.


Is it insecure to bcrypt/scrypt on the client instead so the server never sees the plaintext password?


From the password compromise side, not really, you're just pushing the cost of hashing to your users (and it will impact mobile users more). There's a similar technique on needing proof-of-work on the client to combat DDoS.

From the authorization side, there is a threat, because if your table storing hashes is compromised, attackers just have to supply the stored hash to the auth endpoint and they get to login as anyone.

A combination of hashing on the client side (or immediately once the pw hits the endpoint) with something cheaper followed by a more intense bcrypt/scrypt afterwards might help a bit with the tradeoffs.


Then anyone with a copy of your DB can log in by sending the hash directly. It’s identical to storing plain text passwords.


You could hash it twice, once at the client and once at the server. So your database would store a hash of a hash.

But without persistence on the client side you wouldn’t be able to do salting in the first hash (where do you store the salt?)


Does it buy you anything at that point? A server-side issue, such as this, would still log the thing you need to log in, and a client-side issue would just intercept the hashed form or could derive the hashing mechanism from analysing the client.

At most, it would seem to prevent weak passwords from being passed directly to bcrypt, but salting should solve that in a similar way anyway, and anyone brute-forcing a copy of the database can incorporate the same weak hashing logic


Another comment in this thread mentioned an idea of seeding the hash with a quickly expiring nonce fetched from the server. I think that’s a quite clever approach, similar to CSRF tokens in a sense.

That would effectively create a one time “password” for transmission from browser to database. In a case like this one, where sensitive text transmitted from the client leaked into logs, it would be a non-issue. The sensitive string in the logs is a temporary hash that would be useless shortly after discovery, since it was derived from an expired nonce.

It effectively becomes a real time scrubbing system with 100% coverage, because the passwords are “scrubbed” by design, and do not depend on explicit detection code in some scrubbing mechanism.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: