Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreih6fig7jjvs7tfqmogzcnngv4ghgccc6qvpjveiu4lfrg7lhmst7q",
    "uri": "at://did:plc:pgryn3ephfd2xgft23qokfzt/app.bsky.feed.post/3miede534bhm2"
  },
  "path": "/t/gpt-vs-claude-showdown-chatgpt-5-2-instant-vs-the-not-exactly-top-tier-sonnet-4-6/174841#post_1",
  "publishedAt": "2026-03-31T12:22:31.000Z",
  "site": "https://discuss.huggingface.co",
  "tags": [
    "https://chatgpt.com/share/69cbbbf6-854c-8396-8b4e-c08029d7deb3"
  ],
  "textContent": "The problem: I’m building a forum with a custom engine and I don’t want the expensive Argon2 function to be computed server-side (DDoS risk). Instead, it should be computed client-side in JavaScript — but crucially, the server should then run the result through a single fast SHA hash before storing or comparing it.\n\nLet’s look at the attacks:\n\nSHA hash leak — Argon2 still has to be computed (e.g. a million times) regardless of whether the protection runs client-side or server-side.\n\nMan-in-the-middle — the hash can always be intercepted, whether I’m sending plaintext or an Argon2 digest, so here I simply have to assume a secure transport layer — HTTPS, not HTTP.\n\nApart from the fact that my approach doesn’t put load on the server, I don’t see how it’s worse.\n\nClaude agrees with me, while GPT insists Argon2 must run server-side. Maybe I’m just hearing what I want to hear — but Claude’s reasoning resonates with me, whereas GPT feels like someone who crammed the textbook without understanding it.Addendum / Reply to the obvious objection:\n\nYes, a determined attacker could skip the client-side Argon2 and send a raw SHA directly — but that completely misses the point. The threat model here is DDoS, not account takeover. In a DDoS scenario, the attacker is flooding the server with requests hoping to exhaust its CPU with expensive Argon2 computations. If the client sends a raw SHA instead of a proper Argon2 hash — they simply won’t log in. The server just does one cheap SHA and compares. No expensive computation happens server-side at all.\n\nSo:\n\nLegitimate user → runs Argon2 client-side → sends result → server does 1× SHA → matches → login OK\n\nDDoS bot → skips Argon2, sends garbage → server does 1× SHA → no match → login fails → server spent almost nothing\n\nThe attacker gains nothing by bypassing Argon2 except a failed login at negligible server cost. That’s the entire point. The expensive computation either happens on their machine or not at all.in Polish (part of discussion, GPT side): https://chatgpt.com/share/69cbbbf6-854c-8396-8b4e-c08029d7deb3",
  "title": "GPT vs Claude Showdown — ChatGPT 5.2 Instant vs. the-not-exactly-top-tier Sonnet 4.6"
}