1

I'm making recommendations to improve our user authentication (login). Our approach thus far is to ensure we (and libraries we use) are following all of the the OWASP guidelines.

I have also been trying to study what Google, Microsoft and Yahoo do. As far as I can tell, they do not directly transmit passwords to the backend (just put a breakpoint for XHR items and see for yourself).

My question is therefore straightforward. What are they doing to passwords before they are sent the backend (possibly the same or different)?

Garret Fick
  • 11
  • 2
  • Which part of OWASP states using cryptography in the client side for authentication? I'm not being sarcastic. Genuinely curious! – ISMSDEV Oct 23 '17 at 14:53
  • 1
    analyzing traffic will see that, when authenticating with login.live.com, it does a POST request to https://login.live.com/ppsecure/post.srf with the password.
    Some may send a hash (just to avoid the password being readable on the wire), but it offers very little added security.     – ndrix Oct 23 '17 at 17:21
  • @ISMSDEV No where in OWASP does it say you should be using cryptography on the client side. – Garret Fick Oct 23 '17 at 17:36
  • @ndrix You are right - not sure how I missed it. Somehow missed for google too (that one is a post to https://accounts.google.com/_/signin/sl/challenge

    This makes my question pointless - they aren't doing something special.

     – Garret Fick Oct 23 '17 at 17:40
  • The closest for (dis-)advantages for client hashing is responded on https://security.stackexchange.com/questions/8596/https-security-should-password-be-hashed-server-side-or-client-side?rq=1 - good tips. – ndrix Oct 23 '17 at 18:31
  • ugh, client-side hashing again. why does this keep coming up? who is promoting the idea? – dandavis Oct 23 '17 at 23:08

0 Answers0