13·
11 days agoThat would be an extremely bad idea tho, because it would allow a malicious attacker to
- Try random usernames, and if the website returns a hash they know that user exists
- Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
You would assume that, but you would be very wrong. People are lazier/sloppier than you might think.
Searching for “client side authentication NVD” turns up a lot of examples. There is even a CWE for "Use of Client-Side Authentication:
https://cwe.mitre.org/data/definitions/603.html