0

I've built a Rest API with node. Looking at the authentication route, I have passwords that are stored hashed using bcrypt.

Now when a user comes to login, I can hash the password client side, send this to the API however as far i can see it is not possible to compare 2 hashes. So does this mean the only secure option is to send it as plain text through HTTPS?

I've seen it answered here Client side password hash versus plain text however is there a general consensus plain text over https is the only significant way.

Thanks.

Community
  • 1
  • 1
userMod2
  • 8,312
  • 13
  • 63
  • 115

1 Answers1

2

You absolutely, positively must use HTTPS regardless of whether you computations client side or server side. So if your goal is to remove the HTTPS and use HTTP instead: do not do it -- it opens the door to "pass the hash" attacks.

There are good arguments to move the bcrypt computation to the client side, but there a number of pitfalls that you must worry about to do it correctly. For reference, see Method to Protect Passwords in Databases for Web Applications and Client-Plus-Server Password Hashing as a Potential Way to Improve Security Against Brute Force Attacks without Overloading the Server. Two different solutions based upon similar ideas and observations.

TheGreatContini
  • 6,429
  • 2
  • 27
  • 37