Following on your theme of charitably assuming at least the possibility of a safe implementation, this could certainly be done without surfacing the hash on the front end.
It could be that each keystroke triggers an API request which sends the current input, then the API hashes it and compares that to the original, entirely in the backend.
Fair, it could, yes. The bigger problem was definitely the ability to brute force the passwords though, as surfacing the hash still leaves them encrypted which isn’t super valuable without access to the hashing algorithm.
Right, so the hashing and comparison of hashes also can happen in the back end, and the API response can just be true/false whether it’s a match or not. That way the hashes and the hashing algorithm could all stay private.
The comparison API would of course also need its own rate limits and backoff etc to ensure it cannot be used to bruteforce attempts until you get a ‘true’ back.
All in all it’s a terrible idea though and nobody should actually do this.
Following on your theme of charitably assuming at least the possibility of a safe implementation, this could certainly be done without surfacing the hash on the front end.
It could be that each keystroke triggers an API request which sends the current input, then the API hashes it and compares that to the original, entirely in the backend.
Not likely, but possible.
Fair, it could, yes. The bigger problem was definitely the ability to brute force the passwords though, as surfacing the hash still leaves them encrypted which isn’t super valuable without access to the hashing algorithm.
Right, so the hashing and comparison of hashes also can happen in the back end, and the API response can just be true/false whether it’s a match or not. That way the hashes and the hashing algorithm could all stay private.
The comparison API would of course also need its own rate limits and backoff etc to ensure it cannot be used to bruteforce attempts until you get a ‘true’ back.
All in all it’s a terrible idea though and nobody should actually do this.