Why isn't the password hashed and salted client-side, with the salt being sent from server to client?
I understand that hashing in the client side would only substitute the user password for a new one. This alone sounds like a win to me, as it at least contains the damage somewhat in case of leakage, specially if salted.
EDIT:Sorry, I just found the exact same discussion in this thread.
Why isn't the password hashed and salted client-side, with the salt being sent from server to client?
I understand that hashing in the client side would only substitute the user password for a new one. This alone sounds like a win to me, as it at least contains the damage somewhat in case of leakage, specially if salted.
EDIT:Sorry, I just found the exact same discussion in this thread.