Aint Login Insecure? #1403
-
|
Title. aint login insecure if ur sending the password in plain text to the web server like this:
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Im gonna post my custom code which hashes the password client side then sends it to the server as a hash. |
Beta Was this translation helpful? Give feedback.
-
|
Hashing the password on the client doesn't do anything to improve security. If your server accepts a pre-hashed version of the password, then the hashed version essentially becomes the password. So if someone were able to intercept your network request, they'd be able to steal credentials regardless. You'd need to do something a lot more complex to achieve better security (like generating some kind of different, secure random on the server and sending it with each request so the client can use that to generate unique encrypted passwords). See https://stackoverflow.com/questions/3715920/is-it-worth-hashing-passwords-on-the-client-side for more info on this. |
Beta Was this translation helpful? Give feedback.
-
|
i just saw this reply. and wow, that actually makes sense. thank u so much! |
Beta Was this translation helpful? Give feedback.
-
|
No, it's not. Actually, most forms are sent like this in 99% of websites out there. The security is provided at a lower level thanks to HTTPS / SSL. That's why it's crucial to use HTTPS in production. Hence, it's unnecessary to encrypt the data on the client side. |
Beta Was this translation helpful? Give feedback.
No, it's not. Actually, most forms are sent like this in 99% of websites out there. The security is provided at a lower level thanks to HTTPS / SSL. That's why it's crucial to use HTTPS in production. Hence, it's unnecessary to encrypt the data on the client side.