Why doesn't OWASP recommend to bcrypt the password both on the client and the server?

Question

Since the recent problems with GitHub and Twitter:

• GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs
• Twitter Admits Recording

Answer 1

Any hash (including bcrypt) requires secret salt - read here for more details. If that salt is lost, the client will not be able to create the same hash - which is the same as losing the password. So you need to create a mechanism that will allow all your client to get the salt securely. And you need to make sure that a hacker will not be able to get this salt. This is pretty complicated to achieve.

Another thing to consider is the end user device limitations - for example, Android device has pretty weak CPU, and are far less powerful than the average server. As the main strength of bcrypt is the time taken to compute the hash, you need to choose parameters such that a good server (maybe even with a GPU), will compute it in a slow time (let say, > 1s for passwords with 20 chars). This what make is so hard to create those rainbow tables.

So, unless you can guarantee that all your users are running on strong enough devices, it is not recommended to do bcrypt on the client side.