Methods for securely offloading password hashing to client

Patent application, 2022

After a successful compromise, attackers may recover stored password hashes. These hashes may then be cracked to be able to use them on other services where the same or similar passwords may have been reused. A common method to secure such hashes is by using computationally expensive hash functions. This is usually done on the server and consumes a large amount of resources. Moreover, no such techniques exist for storing credentials on the client so that only the desired server can recover them.

This invention aims to solve the issue of storing password hashes primarily in two ways:
• moving the password hashing step to the client without introducing new security risks in the
process; and
• encrypting client stored hashes in a way that only the targeted server is able to recover them.