• sugar_in_your_tea
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    The browser could do the hashing, but then the frontend would need the same salt, which is a huge liability. Some apps obfuscate it by encrypting with a nonce or something, but all that does is delay an attack.

    Standard practice is indeed on the server with a limited number of attempts on the same account in a time window to prevent brute force attacks.