The browser could do the hashing, but then the frontend would need the same salt, which is a huge liability. Some apps obfuscate it by encrypting with a nonce or something, but all that does is delay an attack.
Standard practice is indeed on the server with a limited number of attempts on the same account in a time window to prevent brute force attacks.
The browser could do the hashing, but then the frontend would need the same salt, which is a huge liability. Some apps obfuscate it by encrypting with a nonce or something, but all that does is delay an attack.
Standard practice is indeed on the server with a limited number of attempts on the same account in a time window to prevent brute force attacks.