1

I'm aware passwords should be hashed/salted on backend and HTTPS should be used for transportation. My concern is that, on account registration, there is a section of code where the plain text password could exposed by way of a poorly placed log-statement.

I understand hashing passwords multiple times is not ideal, but to address this concern would it be acceptable (from a security governance perspective) to also hash the password on the frontend?

jacob_g
  • 674
  • 8
  • 21

1 Answers1

0

No, as password hashing should use salt and a suitable (slow) hashing algorithm, implementing this correctly and in the future double hash all passwords would require a lot more work than masking the password in the log.

If you use an unsalted hash with a fast hashing algorithm many passwords can be quickly broken using modern hash cracking equipment.

Also see Does it make security sense to hash password on client end

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9