Just take the string as bytes and hash it ffs

  • CommanderCloon@lemmy.ml
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    3
    ·
    2 months ago

    If you hash in the browser it means you don’t salt your hash. You should absolutely salt your hash, not doing so makes your hashes very little better than plaintext.

    • Shadow@lemmy.ca
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      2 months ago

      There’s nothing stopping a browser from salting a hash. Salts don’t need to be kept secret, but it should be a new random salt per user.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      If you hash in the browser it means you don’t salt your hash. You should absolutely salt your hash, not doing so makes your hashes very little better than plaintext.

      That’s not true. If they send hashed password you could salt/hash again on server if you’re trying to keep the salt “secret”. Their hash should always be the same if they’ve submitted the same password. You’d just be hashing a hash in that case… but it’s the same premise.