openstreetmap-ng icon indicating copy to clipboard operation
openstreetmap-ng copied to clipboard
verified publisher icon Zaczero

Prehash login passwords on client-side before sending them

Open Zaczero opened this issue 1 year ago • 1 comments

This will introduce a new safeguard against potentially compromised server. By having strong client-side hashing step, we could reduce server-side hash complexity and save on resources.

Zaczero avatar May 08 '24 05:05 Zaczero 

@staticmethod
    def client_prehash(password: PasswordStr) -> str:
        """
        Prehash a password using the client's algorithm.
        """
        return pbkdf2_hmac(
            hash_name='sha256',
            password=password.get_secret_value().encode(),
            salt=b'',
            iterations=20_000,
        ).hex()

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#browser_compatibility https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveBits#browser_compatibility

Zaczero avatar May 31 '24 06:05 Zaczero