Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It definitely doesn’t happen on the client. If it did then the server’s password file would effectively be plaintext.


> If it did then the server’s password file would effectively be plaintext.

Send seed and hashing parameters to the client, then client does hashing, client sends hash, server compares hashes. It's vulnerable to replay attacks, but it's the same with client sending plaintext password to server (assuming that you're not using SSH or similar).


You two are working your ways towards defining a zero-knowledge password proof:

https://en.wikipedia.org/wiki/Zero-knowledge_password_proof

I think SRP is the most widely implemented version. https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...


Note that SRP is an older protocol, and things have moved on from there. See various PAKE algorithms:

* https://en.wikipedia.org/wiki/Password-authenticated_key_agr...




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: