• sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    The browser could do the hashing, but then the frontend would need the same salt, which is a huge liability. Some apps obfuscate it by encrypting with a nonce or something, but all that does is delay an attack.

    Standard practice is indeed on the server with a limited number of attempts on the same account in a time window to prevent brute force attacks.