top | item 47164520

(no title)

pjjpo | 4 days ago

Password managers generally send a hash but for almost all services I would say plain text password is standard, I would definitely go with something like firebase or auth0 vs rolling your own auth in most normal situations. The poster is explicit about not knowing anything about security though so all good.

discuss

badeeya|3 days ago

This makes sense, I guess encrypting it on top of TLS doesn’t meaningfully improve security. My concern is that you’re trusting the server to immediately salt and hash upon receipt (especially before storing), but if the client at least obfuscated the password, then in the worst case of a leak you have an email and an obfuscated password that can be used to login to the pwned service but nothing else. My specific threat model depends on the average person not adopting password manager hygiene and 2fa across their services, which is fairly common amongst my friends personally.

pjjpo|1 day ago

Salts are fixed - so if you salt with, i.e. the email address, any attacker will also do that. The key derivation strategy of password managers is already known. Especially in a browser, salting strategy cannot be hidden so it's a known factor. As sad as it is, for those without good hygiene, either they are at risk of compromise, or tie identity to a device and are at risk of losing access entirely. There is currently no magic solution.