DEV Community

Discussion on: Securing your express/Node.js API with Firebase auth

 
emeka profile image
Nwakwoke Patrick Nnaemeka

If your authentication logic depends on the server authenticating an already hashed password from the client, then all a hacker needs is that hashed password from the client, the real password isn’t useful to the hacker at this point.

Thread Thread
 
technoplato profile image
Michael Lustig - halfjew22@gmail.com

If they have a plain text password I entered and I am a normal user, wouldn’t the thought be that I’ve reused this email / password combination elsewhere?

Thread Thread
 
emeka profile image
Nwakwoke Patrick Nnaemeka

Yeah, but if every app did authentication the same way you are suggesting then their hashed password is still all that will be needed in a case of compromise. Your client code can be accessed on the browser so your hashing algorithm isn’t really hidden. My advice to you is just always have ssl.
Hope this guides you.
stackoverflow.com/questions/371592...

Thread Thread
 
technoplato profile image
Michael Lustig - halfjew22@gmail.com

Thanks for taking the time to answer these quandaries.

Last one: even if an attacker has both access to a hash and the hash function, if that hash function is secure, they still can’t reverse that to get the password, correct?

Thread Thread
 
emeka profile image
Nwakwoke Patrick Nnaemeka

No they can’t

Thread Thread
 
v6 profile image
🦄N B🛡

if every app did authentication the same way you are suggesting then their hashed password is still all that will be needed in a case of compromise.

There are, I think, ways to mitigate this kind of hash re-use. And I think Michael is right about there being some security advantages to interception of a hash vs a plaintext password.

Ideally a variable-salted hash of the passphrase would be signed by a given client's private key specific to the user, the same one used for a mutual TLS session.

It could still be intercepted via a MITM attack, but the attack might then give evidence of tampering.