web application – https security – should password be hashed server-side or client-side?

Hashing on the client makes sense only if you do not trust the server in some way, and do not want to show it the “actual” password (the one which the human user remembers). Why would you not want to show the password to the very site on which the said password has any use ? Because you have reused the password elsewhere ! Now that’s usually bad, but there is a relatively safe version which is incarnated in myriads of browser extensions or bookmarklets such as this one or that one (I don’t vouch for their quality). These are tools where the human user remembers a “master password”, from which a site-specific password is generated, using the site domain name as a kind of salt, so that two distinct sites get distinct passwords.

While this scenario makes sense, doing it with Javascript sent by the server itself does not. Indeed, the point of hashing the password client side is that the server is potentially hostile (e.g. subverted by an attacker), and thus Javascript code sent by that server is, at the very least, suspect. You do not want to enter your precious password in some hostile Javascript…


Another case for client-side hashing is about slow hashing. Since passwords are, by definition, weak, you want to thwart dictionary attacks. You assume that the bad guy got a copy of the server database, and will “try passwords” on his own machines (see this blog post for some discussion on this). To slow down the adversary, you employ an inherently slow hashing process (such as bcrypt), but this will make the processing slow for everybody, including the server. To help the server, you might want to offload some of the work on the client, hence do at least part of it in some Javascript code running in the client browser…

Unfortunately, Javascript is awfully slow at this kind of job (typically 20 to 100 times slower than decent C code), and the client system will not be able to contribute a substantial part to the hashing effort. The idea is sound but will have to wait for better technology (it would have worked with a Java client, though: with a decent JVM, optimized Java code is about 2 to 4 times slower than optimized C code, for a hashing job).


To sum up, there is no really good case for doing client-side password hashing, from Javascript code sent by the server itself. Just send the password “as is” to the server through an HTTPS tunnel (the login page, the form destination URL, and whatever page are protected by the password, shall all be served over SSL, otherwise you have more pressing security issues than the use of passwords).

hashing – Why do sites store user data all in one user table? Why not separate with salted and hashed unique keys?

Say I’m a Big Company with a bunch of user data, including usernames, email addresses, and salted and hashed passwords. I recognize that I’m susceptible to attack in some way shape or form, despite everything that I’ve done to try to prevent an attacker from gaining access (phishing is stupidly effective, after all).

Suppose I want to separate a hacker from getting to more data. Would it not make more sense for me to set up one table with user data consisting of a unique identifier, their salted and hashed password, and any other relevant data, then create another table of email addresses that has two columns; the email address, and a unique key. However, that unique key is based on a salted and hashed version of the unique key from the original users table that can be replicated (assuming you know the salt and the algorithm used.)

Now, assuming someone enters maliciously, they will have to determine two sets of salts and hashes– one to decrypt the password, and one to decrypt which email address is associated with that username and password. Gaining the email addresses is still valuable for stuff like spam mail, but it’s now double the effort if someone wants to figure out how to log in as a user. This obviously is n

magento2 – M2 Import customers with API with hashed passwords?

I can import customers with the API using /rest/all/V1/customers endpoint. I can also supply a password.

But is it possible to import a customer with a hashed password? If possible, how would I do that? To be clear, I just want to supply a hashed password in the request. It’s coming from Magento 1 and is MD5 hashed (which M2 supports).

I tried password_hash (named like the field in the table) instead, but that doesn’t work. The field stays NULL.

TL:DR

How can I import customers with hashed passwords with the API?

hash – Sending and blocking emails from hashed and salted address ? (for GDPR)

I would like to send emails from server, but also made them unable to trace for me as server owner or attackers. I want this for GDPR but also to protect people from abusers.

Short info about service: I am provider of service as person, not company, emails will be tied to product (invites and service content) with 0 marketing, there will be rate limits preventing spamming, emails will be triggered only by real users, users wont be able to send just any email, but rather use specific templates, nonusers will be recieving emails too (invites).

Will it be enought to just store emails hashed and salted with one system wide salt value? My main concern are mostly nonusers as I cant have their consent before emailing them. So I could provide them way to block abuser or all emails from my server with just storing hashed and salted email and comparing every request to send email against it.

Another problem is, how can I prove, that some user gaved me consent to recieve past emails? Is stored hashed and salted value enough?

Do you know how other big services like Gmail, Mailgun, etc solved this?

Thank you very much for any help or suggestions

Why do we need hashed page tables for Paging in Operating Systems?

I understand that we might need hierarchical paging to handle page tables with sizes greater than the size of one frame, but what is the use of Hashed Page tables then? I would understand if we were storing page-numbers and mapped frame numbers as $key-value$ pairs, because then hashing would make the process of accessing a particular $key-value$ pair much faster but can’t we just store the base of the page table and add the virtual page number, go to that index of Page Table, and get the frame number anyway?

encryption – How to identify this hashed text and if it encrypted using a key?

For the second one, I think you mean 152 characters, not 152 bytes. The character set looks like base64, and the equals symbols at the end are another tell-tale sign that this is probably base64, as equals symbols are often used for padding in base64.

In base64, each set of 4 characters represents 3 bytes. You have 150 characters of actual information (again, the last two equals symbols are padding). This equates to 112.5 bytes of data ( (150/4) * 3). That equates to 900 bits of data (8*112.5).

That’s most likely not a hash, as no standard hashing algorithm produces a 900-bit result. It’s most likely not the result of AES encryption either, as AES produces blocks of 128 bits, and 900 is not a multiple of 128.

8 – How do I get a user password before it is hashed?

In Drupal 8 – how can I get the user password before it hashed?

I need to create the user on two other services via APIs so that the user can use the same credentials to log in to all platforms.

I tried:

function MYMODULE_entity_presave(UserInterface $account) {
#Here I can see the password - but not access it.  
var_dump($account);

#If I use the toArray function - I can access the password, but now it is hashed. 
$account = $account->toArray();

How (if possible) can I do this?