• Service providers aren’t actually supposed to know your password. Passwords should always be sent after hashing on client side. Only the hashes are matched on server side.

    Edit: Not accurate, read replies.

    • voxel@sopuli.xyz
      link
      fedilink
      arrow-up
      8
      ·
      1 年前

      nope hashing is usually done server-side.
      also counter-intuitively server-side hashing is considered more secure than client side (in case of client side hashing hash becomes the password)

      • I’m not an expert in this, and I did look around after reading your comment. Looks like the password is usually sent as-is, then hashed server side, and matched against hashes in the database. So, the hashes are what’s stored in their database. So, ideally, the server shouldn’t know your password. Also, it can be hashed from client side too, but that becomes redundant since everything is tls encrypted anyway.