I don’t know if this is the right sub.
I was wondering why password are hashed in backend and not frontend? I mean, why doesn’t it produce a vulnerability?
I heard it’s because password are transported over TLS.
So the logical flow would be :
Plain text password – > crypted in TLS/SSL – > routed to the server – > uncrypted by the server – > plain text – > hashed – > compare the hash to the hash in data base
But between the TLS/SSL uncryption ans the hashing, the password would be plain text. Or are you hasing the TLS/SSL crypted password?
Because if you are not, there could be a malware on the database that collect the plain text password after the SSL/TLS decryption.