tags:

views:

185

answers:

6
+1  Q: 

Password hashing at client browser

What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password?

EDIT: assuming HTTP is used (not HTTPS)

+2  A: 

Use javascript to calculate the hash. See this for an example on how to calculate SHA-1 hashes in JS.

Beware that if you make yourself dependant on Javascript, your system will fail as soon as someone has JS disabled. You should use HTTPS if this is a concern to you, which has its own setbacks (e.g. certificates cost money if you want them to be immediately accepted by browsers.)

Martin Hohenberg  2009-11-21 07:56:45
+1  A: 

Not all people have JavaScript enabled in their browsers and even the idea of sending hashes on a plain-text channel I think is not secure enough.

I would recommend you to consider a SSL secured connection.

CMS  2009-11-21 07:56:47
+2  A: 

Try using this jQuery encryption plugin. Out of curiosity, what's wrong with using SSL/HTTPS and encrypting at the server side?

Traveling Tech Guy  2009-11-21 07:56:53
I presume working on plain HTTP
Andy  2009-11-21 08:02:30
+1  A: 

This site has quite comprehensive hashing/crypto stuff: JavaScript Encryption Library

o.k.w  2009-11-21 07:58:54
+1  A: 

JavaScript side encryption like the jQuery Encryption library stops Eavesdroppers. However, MITM (Man-in-the-Middle) can still occur. SSL/TLS is the ultimate choice that is highly recommended to take unless you are on shared hosting (no dedicated IPs) or your site is receiving so much traffic that you can't simply encrypt all connections (JS, CSS, HTML, ...).

rFactor  2009-11-21 09:47:30
A: 

Why would you bother doing this? Effectively, the password hash has become the password and a a man-in-the-middle who intercepts the hash can use it to authenticate and perform any action as the user. On the other hand, if you don't believe in the man-in-the-middle, why not just send the password itself?

erickson  2009-11-21 15:47:38
Challenge-Response protects against Eavesdropping -where you can't alter any data, but just listen to it. Since tokens are one-time only, the eavesdroppers will always be late and gain no use of the token.
rFactor  2009-11-22 14:16:29
Yes, that's true, I suppose it would stop an eavesdropping-only attacker from discovering the password. But in that case, I'd just just use HTTP Digest authentication rather than rolling my own.
erickson  2009-11-22 17:36:44

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security