🚀 Enhancement: Accepts Hashed Passwords in Login/Signup endpoints about appwrite HOT 2 CLOSED

@notsarv, thanks for creating this issue! 🙏🏼 I don't think we want to move forward with adding methods to accept hashed passwords because:

1. HTTPS should help mitigate MITM attacks
2. If the concern is MITM attacks, the attacker can still sniff and get the password on log in
3. It's industry standard for log ins to accept plain text passwords

from appwrite.

Title: Enhancing Security: Introducing Encrypted Password Support in Client SDKs

Overview:
In today's digital landscape, ensuring the security and privacy of user data is paramount. One critical aspect of this is safeguarding user credentials during transmission, particularly against potential MITM (Man-in-the-Middle) attacks. Currently, encrypted password support is limited to server SDKs, leaving client-side implementations vulnerable to interception.

Proposal:
To bolster security and protect user credentials, I propose extending encrypted password support to client SDKs for login/signup endpoints. This enhancement would allow developers to pass encrypted passwords directly from client devices, mitigating the risk of unauthorized access and ensuring end-to-end encryption of sensitive data.

Benefits:

Enhanced Security: By encrypting passwords at the client side, we minimize the risk of interception by malicious actors, thereby strengthening overall security measures.
User Privacy: Protecting user credentials during transmission instills confidence in our platform and reinforces our commitment to user privacy.
Industry Best Practice: Implementing encrypted password support aligns with industry best practices for securing user authentication processes, demonstrating our dedication to maintaining high standards of security.
Developer Empowerment: Equipping developers with the tools to implement robust security measures seamlessly enhances the developer experience and encourages the adoption of secure coding practices.
Implementation Plan:

Conduct a thorough review of existing client SDKs to assess the feasibility of integrating encrypted password support.
Collaborate with development teams to design and implement encryption mechanisms compatible with client-side environments.
Provide comprehensive documentation and support resources to guide developers in implementing encrypted password functionality within their applications.
Conduct rigorous testing and security audits to ensure the integrity and effectiveness of the encryption implementation.
Roll out the feature incrementally, soliciting feedback from developers to iterate and improve upon the implementation as needed.
Conclusion:
By introducing encrypted password support in client SDKs, we bolster the security of our platform and prioritize the protection of user data. This proactive measure not only mitigates potential security risks but also reinforces trust and confidence among our user base. I urge the team to consider this proposal as a crucial step towards enhancing the overall security posture of our platform.

Thank you for considering this proposal.

Sincerely,
Uma

from appwrite.