I am currently using a technique where I send the username/password in cleartext

Question

I am currently using a technique where I send the username/password in cleartext (using https) to the server, which then does bcrypt and compares to the db. Standard practice.

It is considered safe.

Would sending bcrypt hash to the server for checking be equally safe?

The point of bcrypt is that it is computationally expensive, so that stolen hashes cannot be brute forced (or would take a long time). With the client sending the hash, i think this still holds true.

So, the question is, would this technique compromise my network's security in any way?

Explanation / Answer

Basically, if you hash on the client side the hashed password becomes the authentication token and it means that you are in essence storing the password in plain text in the database.

So to answer your question: It would not compromise your network's security but it would mean that if your database is breached you have lost all the benefit of storing the password in a hashed format in the first place since the hashes are now the passwords.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.