DEV Community

loading...

Discussion on: How to securely hash and store passwords in your next application

Collapse
kmistele profile image
Kyle Mistele Author

Yeah, this is correct. Passing a password as an argument to an encrypt function necessarily has to happen somewhere, otherwise how would you encrypt it? To Christopher's point, if someone can mess with your runtime or source code, you have bigger problems.

Encrypting client side is uncommon and probably considered bad practice. Most back-end languages have libraries for performing hashing and so forth, but I'm not aware of many implementations to be used with JavaScript on the front end. You'd either have to roll your own (never roll your own cryptography), or copy/paste someone else's which would be bad. Doing it on the back end also will ensure standardization. As long as you force HTTPS (TLS/SSL) for authentication and authorization, which most browsers will require (many will automatically upgrade from HTTP to HTTPS where possible), you're fine.