Home > Mobile >  What is the point of encrypting user passwords on the frontend?
What is the point of encrypting user passwords on the frontend?

Time:04-04

I'm working with an API that requires the user's password to be encrypted with the server's public key before sending to the server. If the whole request, including username/password/etc. is being sent through HTTPS, isn't the password encryption redundant?

CodePudding user response:

Depending on the server architecture, this kind of encryption can be helpful. For example, the TLS (HTTPS) connection may be terminated (decrypted) at the perimeter of the network in order to simplify load balancing or to scan the stream for malicious packets. Separately encrypting the password protects the password even from the edge servers, so an attacker who is able to compromise one of those still cannot gain access to the password.

Personally I stretch (i.e. PBDKF2) passwords before sending them. This ensures that the raw password is never seen by the server at all. But even in that configuration, an extra layer of encryption for the hash could be useful when the TLS stream is decrypted early.

  • Related