Why aren’t passwords also hashed on the client side during authentication?

I've never understood why passwords are not hashed on the client-side for various authentication protocols that I've researched like SSH and various web authentication. From my understanding, it loosely works like this:

  1. Client establishes an encrypted connection with the server (hopefully)

  2. Client sends the username and plaintext password within the encrypted channel

  3. Server hashes the plaintext password and checks it against the hash in the database

To me this seems like it's relying entirely on the encrypted connection to secure the password in transit. With MITM attacks and state actors recording traffic + researching QC that is supposed to break these types of encryption, that seems worrisome. Knowing user behavior, an intercepted plaintext password can likely be used on many sites. It can also help determine the user's password scheme (hunter1, hunter2, hunter3, etc) so that when they increment their password you can still get in. Why does auth not work like this instead:

  1. Client establishes an encrypted connection with the server (hopefully)

  2. Client and Server agree upon a type of hash and possible a salt scheme, similarly to how they can agree upon various types of encryption in SSH

  3. Client sends the username and hashed password (Hash1) within the encrypted channel

  4. Server hashes Hash1 again however they like into Hash2, and then compares Hash2 with the hashes in their database

This prevents intercepted passwords from being used elsewhere and rehashing on the server side prevents a hash stolen from the database from being used in a PTH attack.

Why is authentication built the way it is? To be very clear, I'm not suggesting ditching any existing security measures like SSL or server side hashing, just adding this additional one

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s