I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
Because the service is going to hash whatever password you provide. If you sent the hash itself, it would hash it again and get a non-matching result.
You’d think that having those hashed values might help, but it doesn’t really (as long as other best practices are in place). Ultimately having someone’s password is used to impersonate them, which means using the same front end to the service as everyone else.