Is client-side hashing secure during password creation when verification is still done server-side?

Trying to do this to distribute the work of creating a lot of users in which their passwords are hashed. This will cause the server to do a very large amount of work. The idea is this:
(Assume encrypted traffic)
==== Creating User ====

Ha… Continue reading Is client-side hashing secure during password creation when verification is still done server-side?

Fail to understand how hash length extension might work in real application

I’m trying to understand how the hash length extension might work on real web applications using a hash for MAC.
Especially what I don’t get is, how the application considers the evil forged hash valid.
Let’s say we have an app which sends… Continue reading Fail to understand how hash length extension might work in real application