The hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.
The hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.
That would be an extremely bad idea tho, because it would allow a malicious attacker to
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.
💯
It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
Seems like a great way for me to harvest a bunch of hashes to pull down to my GPU rig and crack offline.