tags:

views:

50

answers:

3
+1  Q: 

Question on logistics of hashing at client

I have found a lot of posts on hashing at the client but none that quite answer my question.

I would like to hash user passwords at the client so that I don't have to send a plain text password across the web but I have a question as to how i might do so successfully when using a salt.

The normal procedure of validating a password is.. 1) user enters username and password 2) recover salt based on username 3) hash password and salt 4) check hash against db

If this all takes place on the server, this is no big deal but it becomes complicated if you are on the client. 2) would have to be a call back to the server while maintaining the password somewhere (without posting it) so.. ajax? Is that the best way or am i missing something?

Thanks in advance!

+4  A: 

Sending a hashed password over an unencrypted connection is no better than sending the unhashed plain text password. A bad guy can intercept the hashed password and replay that as the credential later.

What you want is to send the real password over SSL.

Jonathan Feinberg  2009-10-31 21:04:00
Regarding hashed password, that's not exactly true. The usual way to work it around it using a 'nonce', like HTTP Digest Auth does for example. http://en.wikipedia.org/wiki/Cryptographic_nonce
Lukáš Lalinský  2009-10-31 21:08:51
+1  A: 

As a more secure alternative to sending unencrypted hashes or passwords across an unsecured channel (but still less secure than SSL), you might look at Digest Authentification.

As was stated above, sending the hash across an insecure channel would still allow someone else to log on as the user.

Jason  2009-10-31 22:46:09
A: 

Thanks guys, I don't know what I was thinking. Ill check out the Digest.

Nate  2009-11-01 19:41:13
@Nate: welcome to SO! You should do three things: 1. delete this answer because it's a comment; 2. because it's a comment, post it as a comment under the best answer; 3. because you've found the best answer, you should accept it by clicking the checkmark to its left
Michael Haren  2009-11-01 19:43:44
Unfortunately, I actually asked the question anonymously before I made a user account. If i can somehow 'claim' this this question, please let me know. Thanks!
Nate  2009-11-07 23:30:58

related questions

What is a javascript hash table implementation that avoids object namespace collisions?
Best way to prevent duplicate use of credit cards
Why is '397' used for ReSharper GetHashCode override?
How does c# figure out the hash code for an object?
What's the best hashing algorithm to use on a stl string when using hash_map?
Is there any way to use a "constant" as hash key in Perl?
Unique ID c++
Detect changes in random ordered input (hash function?)
How do I hash a string with Delphi?
Can I depend on the values of GetHashCode() to be consistent?
How to get hashes out of arrays in Perl?
Search by hash?
Given that I have a hash of id(key) and countries(values) sorted alphabetically, what is the best way to bubble up an entry to the top of the stack?
Saving Perl Windows Environment Keys UPCASES them
What is a good Hash Function?
How do I create a SHA1 hash in ruby?
How Do I Create a Hash Table in Java?
How would you implement a hashtable in language x?
why are downloads sometimes tagged md5, sha1 and other hash indicators?
How to find keys of a hash?
How do I generate a hashcode from a byte array in c#
How would a sdbm hash function be implemented in C#?
What is the best way to create a sparse array in C++
What's the safest way to iterate through the keys of a Perl hash?
Decode email address from Gravatar hash?