4

I know that, for security reasons, it is necessary to hash (with salt) the user's password and comparing it to a stored hashed password, so if anybody else gets the hashed string, he will have no way to compute back the password or look it up in a rainbow table.

There is one part of the method that I don't understand. Let's say I have this standard login form

<form method='post' action='login.php'>
    <input type='text' name='user' />
    <input type='password' name='password' />
    <input type='submit' name='submit' value='login' />
</form>

and then I use PHP for login

<?php
    if(isset($_POST['submit'])){
        $username = $_POST['username'];
        $password = sha1($_POST['password']);
        $authorize = $login_object->login($username, $password);
    }
?>

and, behind the scenes, the $login_object takes care of authenticating with the database and returning true/false. (I made this object up, I have real, useful objects to do this)

but that means the password in the POST request traveled raw, un-hashed and unsafely! Anybody could have intercepted the real password!

So what I am thinking is that I should use javascript to hash the password before it's sent. I would have a hidden field <input type='hidden' name='real_password' value='' /> and have javaScript copy the value of the input named password, hash it, put it in real_password hidden input and blank the password field. This way, the POST request would have the hashed password and not the raw, unsafe, original password.

Am I right with what I'm saying, or should I just do the hashing on php?

Improve this question
6
  • 5
    If you hash the password with Javascript, then the actual password required to log in becomes the hashed password, which still travels over the wire raw and unencrypted. To transmit the password from the user's browser to your server safely, you'll need to use SSL. Commented Nov 8, 2012 at 2:03
  • 1
    Just use SSL .... you should also look at password_compat a simple and effective way of password hashing Commented Nov 8, 2012 at 2:03
  • 4
    Most sites solve the password in the clear problem with requiring https for the login page. Distributing the password hashing algorithm to any random internet browser is handing the keys to your kingdom. Now anybody interested needs only to sniff, get the hashed password, and then brute force the hashing algorithm you gave them to get back to the password Commented Nov 8, 2012 at 2:04
  • @KelvinMackay why did you not post that as an answer? Commented Nov 8, 2012 at 2:04
  • @epascarello Good question, it's 2am here must be half asleep lol Commented Nov 8, 2012 at 2:13

3 Answers 3

Reset to default
6

Hashing secures the data on the server side. To secure the data-flow to the server, use HTTPS. In that regard it makes no difference whether the password or its hash is stolen (and later duplicated) on the wire. HTTPS also grants certificates to ensure that a padlock is displayed in the user's browser (remember never to enter important password in pages without proper certification).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

My comment, as an answer ;)

If you hash the password with Javascript, then the actual password required to log in becomes the hashed password, which still travels over the wire raw and unencrypted. To transmit the password from the user's browser to your server safely, you'll need to use SSL.

Improve this answer

Comments

3

As many commenters have said, installing an SSL certificate will prevent any eavesdropping, so you do not have to worry about that. Sending it over HTTP is unencrypted and is susceptible to eavesdropping, especially on insecure wireless networks.

As for hashing the password on the client side, a better idea would be to look into client SSL certificates, which are actually generated by the browser itself (assuming you have an SSL certificate installed to encrypt the connection). Just put a <keygen> tag in your HTML and your browser generates a key pair and stores the private key it in its key store (example). Then when visiting the site, the user sends the public key to the server to authenticate. Unfortunately it is a bit messy in all current browsers and doesn't work at all with Internet Explorer (Surprise, surprise. Thank you, Microsoft!).

Improve this answer

2 Comments

+1 for evangelism. There's an excellent discussion of the keygen tag, with a lot of references, here: stackoverflow.com/questions/4501196/keygen-tag-in-html5
keygen tag is deprecated and no longer recommended.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.