www.webdeveloper.com
Results 1 to 5 of 5

Thread: The need for hashing the password client-side, while the https connection is used

Hybrid View

  1. #1
    Join Date
    Jun 2012
    Posts
    3

    The need for hashing the password client-side, while the https connection is used

    There is a reason to hash the password on the client side, if you are using a secure connection (https)?

    I understand that if you use https, then all traffic is encrypted ... and password are also passed to the encrypted.

    Or am I wrong?

  2. #2
    Join Date
    Jul 2008
    Location
    urbana, il
    Posts
    2,787
    Quote Originally Posted by CrazySurfer View Post
    There is a reason to hash the password on the client side, if you are using a secure connection (https)?
    yeah; if you're DB gets hacked, you are facing a lot more liability if you store clear-text passwords than hashes. You should never let a password enter your building; it becomes your liability at that point.

    If you form is using GET the password can show up in logs and history. I once saw terribly-written embed code that changed the action of whatever was the first form in the dom. If that happens to you and you send passwords to lord know where, people are going to complain loudly.

  3. #3
    Join Date
    Jun 2012
    Posts
    3
    Quote Originally Posted by rnd me View Post
    yeah; if you're DB gets hacked, you are facing a lot more liability if you store clear-text passwords than hashes. You should never let a password enter your building; it becomes your liability at that point.

    If you form is using GET the password can show up in logs and history. I once saw terribly-written embed code that changed the action of whatever was the first form in the dom. If that happens to you and you send passwords to lord know where, people are going to complain loudly.
    I know it's bad practice to store clear-text passwords. But i can hash password on the server-side, not client.

  4. #4
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Client-side hashing isn't "necessary" over SSL, so long as you transmit the password in POST data, as opposed to GET data.


    ADDENDUM: In fact, I think it's actually quite uncommon that web apps will perform client-side password hashing. If you open Firebug or inspector in chrome/safari and log into facebook, for instance, you'll see that your credentials are provided plainly in the POST data. The only transit security is the SSL.
    Last edited by svidgen; 06-08-2012 at 02:25 PM.
    Jon Wire

    thepointless.com | rounded corner generator

    I agree with Apple. Flash is just terrible.

    Use CODE tags!

  5. #5
    Join Date
    Jun 2012
    Posts
    3
    Thanks for your answer

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles