Where do you hash user passwords?
I usually hash on server side. But, I’ve been reading about how some people suggest hashing on client-side because it protects against programmer errors.
Some suggest both. Got me wondering how others here do it.
0 voters
Nearly everyone does it server-side, except if you’re building an end-to-end encrypted app in which case the decryption process happens client-side and therefore the hash is generated client-side.
Doing the hashes client-side because “it protects against programmer errors” is a new one 
What stops someone from making mistakes client-side?
For me I do a hash client-side and remove the plain text password from the form on submit. The reason is just a basic precaution (and certainly not foolproof) against someone having a detached dev inspector open in the background and easily viewing the form payloads if they’ve allowed someone to use their computer. The main hash (argon) is done server-side still
What @bpj said is one reason.
Like I said, I hash on server side, but one article I read was pretty interesting.
The programmer errors there was talking about were like when Facebook accidentally logged plaintext or when Twitter did the same thing.
Nothing against client-side hashes Sorry if I looked blunt on my initial answer
I was a big proponent of end-to-end encryption and therefore client-side hashing. With time I realized no one really cared and I just went with the most common approach (server-side hashing)
Does Wappler provides a way to perform client-side hashing? If not, one could do a custom formatter to do such hashing
I didn’t find it too blunt. I like straightforward comments anyway.
As far as I know there isn’t a straight way to do it. But, you could create a var that the password field updates and then you hash that var. Just a guess.
Not that I’ll do it. 
There’s no client-side crypto formatters at the moment. I did submit a FR a LONG time ago:
It is easy, though, to use a javascript function on submit (I use the crypto-js library - you need to include it on the page). I prefer not to use a formatter as I want the function to not only create the hash but also clear the plain-text version.
function pwhashsend() {
var cp = document.getElementById('plain_pw'); // plain password input
var np = document.getElementById('enc_pw'); // hidden password input (encrypted) to be used
var p = cp.value;
var hp = CryptoJS.SHA512(p);
hp.toString(CryptoJS.enc.Hex);
cp.value = '';
np.value = hp;
return true;
}
on the form element use
onsubmit ="return pwhashsend()"
LOL Programmers… we are weird…
Us: We definitely prefer to hash passwords server-side.
Also us: But, let’s discuss how we could do it client-side anyway.
