Just take the string as bytes and hash it ffs

  • frezik
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 months ago

    If the end user is reusing passwords. Which, granted, a lot of people do.

    On the flip side, we’re also forcing the use of JavaScript on the client just to handle passwords. Meanwhile, the attack we’re protecting against only works for reused passwords, and the attacker is inside the server and can see the password after transport layer encryption is removed. This is a pretty marginal reason to force the complexity of JavaScript.