Why doesn't OWASP recommend to bcrypt the password both on the client and the server?

Question

Since the recent problems with GitHub and Twitter:

• GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs
• Twitter Admits Recording

Answer 1

The problem with this scheme is that it requires the server to trust the client. In particular, it assumes the client will always actually hash what the user types in. If we break this assumption, as an intruder might, problems start to pop up.

Bob has a list of (single-hashed) passwords from your server logs. These aren't plaintext passwords, but they aren't the double-hashed passwords from your password file. But let's say he makes one small change to your client: he takes out the bcrypt() line, so it no longer hashes whatever he pastes into the password field before sending: instead, it just sends the raw text.

Then he starts sending logins. Now your server sees usernames and single-hashed passwords (because that's what Bob typed, because that's what Bob knows). It assumes this is the usual client, so it goes on to hash the password again and check against the double-hashed password in its file... and it's been hashed exactly twice, so it matches. Bob didn't know the plaintext password, but by modifying the client he made it so he didn't need to know it.