• decisivelyhoodnoises@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    5 months ago

    My browser uses the same algorithm, so the text I entered is “2gtth5” now. The server looks up my hashed password

    This is not correct. Your browser will submit “shark” and then the backend server will do whatever hashing is required and after that it will compare the hashes. If hashing was happening in the browser that would mean that an attacker would be be able to attack by using just the hashes of the passwords, not the passwords themselves. Also in such case, the browser would had been responsible to do the required salting which in turn would make it pointless as it would had been known.