Comments (2)
@notsarv, thanks for creating this issue! 🙏🏼 I don't think we want to move forward with adding methods to accept hashed passwords because:
- HTTPS should help mitigate MITM attacks
- If the concern is MITM attacks, the attacker can still sniff and get the password on log in
- It's industry standard for log ins to accept plain text passwords
from appwrite.
Title: Enhancing Security: Introducing Encrypted Password Support in Client SDKs
Overview:
In today's digital landscape, ensuring the security and privacy of user data is paramount. One critical aspect of this is safeguarding user credentials during transmission, particularly against potential MITM (Man-in-the-Middle) attacks. Currently, encrypted password support is limited to server SDKs, leaving client-side implementations vulnerable to interception.
Proposal:
To bolster security and protect user credentials, I propose extending encrypted password support to client SDKs for login/signup endpoints. This enhancement would allow developers to pass encrypted passwords directly from client devices, mitigating the risk of unauthorized access and ensuring end-to-end encryption of sensitive data.
Benefits:
Enhanced Security: By encrypting passwords at the client side, we minimize the risk of interception by malicious actors, thereby strengthening overall security measures.
User Privacy: Protecting user credentials during transmission instills confidence in our platform and reinforces our commitment to user privacy.
Industry Best Practice: Implementing encrypted password support aligns with industry best practices for securing user authentication processes, demonstrating our dedication to maintaining high standards of security.
Developer Empowerment: Equipping developers with the tools to implement robust security measures seamlessly enhances the developer experience and encourages the adoption of secure coding practices.
Implementation Plan:
Conduct a thorough review of existing client SDKs to assess the feasibility of integrating encrypted password support.
Collaborate with development teams to design and implement encryption mechanisms compatible with client-side environments.
Provide comprehensive documentation and support resources to guide developers in implementing encrypted password functionality within their applications.
Conduct rigorous testing and security audits to ensure the integrity and effectiveness of the encryption implementation.
Roll out the feature incrementally, soliciting feedback from developers to iterate and improve upon the implementation as needed.
Conclusion:
By introducing encrypted password support in client SDKs, we bolster the security of our platform and prioritize the protection of user data. This proactive measure not only mitigates potential security risks but also reinforces trust and confidence among our user base. I urge the team to consider this proposal as a crucial step towards enhancing the overall security posture of our platform.
Thank you for considering this proposal.
Sincerely,
Uma
from appwrite.
Related Issues (20)
- 🐛 Bug Report: Missing scope throws Uncaught AppwriteException: Invalid redirect
- 🐛 Bug Report: Stats shows only last 25days, end of every day, it hides 26th day. HOT 4
- 📚 Documentation: What's the realtime websocket URL? HOT 1
- AppwriteException: Database not found HOT 4
- 🐛 Bug Report: Recreate Same Name Relationship Attribute Only Self-Hosted HOT 5
- 🐛 Bug Report: No logs for failed index
- 📚 Documentation: createToken says it will create a user if they do not exist
- 🐛 Bug Report: SMS Sending via TextMagic stuck at "processing" status HOT 1
- 🐛 Bug Report: Receiving a general error for correct inputs using an email that account was previously deleted for HOT 1
- 🚀 Enhancement: Support Vonage Messages API for Messaging HOT 1
- 🐛 Bug Report:
- 🐛 Bug Report: Cannot renew domain HOT 6
- 🐛 Bug Report: querry does not work on Ios but does work on windows and android when using c# HOT 8
- 🐛 Bug Report: Expired targets not automatically deleted HOT 4
- RactNative--500 error HOT 1
- 🐛 Bug Report: Server Error using GraphQL HOT 1
- 🐛 Bug Report: Unable to get current user session on functions using jwt HOT 7
- 📚 Documentation: Support manual deployment HOT 2
- 🚀 Enhancement: Add Sign Language as a language HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from appwrite.