That's a fair point, though it doesn't outweigh the myriad other reasons not to ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dsacco on Jan 9, 2015 \| parent \| context \| favorite \| on: The God Login That's a fair point, though it doesn't outweigh the myriad other reasons not to do client-side hashing. Security is always a battle of usability and tradeoffs. Client-side hashing simply doesn't make sense for security. It removes the fundamental point of the hash in the first place and introduces an avenue for possibly attacking or manipulating your database. In fact, there's hardly ever a reason to do client-side security.

mentat on Jan 9, 2015 [–]

Perhaps you can quality "client-side security"? You mean never trust the client right?

dsacco on Jan 9, 2015 | [–]

Yes, that's exactly what I mean. Treat all user-input (and by extension, client-side anything) as dangerous. A server putting a security protocol in the hands of the client when it is not unavoidable is usually bad.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact