Can I encrypt password on both frontend and backend?

Question

I'm making an application that needs logging in.

I used node.js as API.

I understand I have to encrypt the password on backend in case the database is stolen. But if for some reason HTTPS failed or some developer on our side had malicious intention he/she could easily steal the raw password if it wasn't encrypted on the frontend as well.

So my question is is there a problem if I use Argon2 on backend and BCrypt on frontend together?

(Also I assumed that Argon2 is faster so if the attacker wants to brute force he has to use the slow one as well on his side instead of my api heavylifting his/hers shannigans)

I know there are some simillar questions, but they ask if i should use one OR the other and the answer is backend and HTTPS.

I WILL use HTTPS and backend encryption. But I ask if it's possible (or a good idea) to use encryption on the frontend as well.

Answer 1

Argon2 and BCrypt are not encryption algorithms. They're password stretchers (formally "PBKDFs" or "Password-based Key Derivation Functions"). It doesn't make sense to use both, however.

The design you're looking for is this:

• Apply a password stretcher on the front-end so that the raw password is never sent to the server.
• On the backend, apply a fast hash (SHA-256) so that the hashed password is not stored in the database.

The first part protects the user. Their password never leaves their machine. The second part protects your database. Even if it's stolen, there's no way for an attacker to use the hashes stored there to log into your system.