: Why don't we see websites hashing passwords before sending them? (Note about the question title: by "we" I mean myself) Everytime I log on to any website, I have this thought that website asking
(Note about the question title: by "we" I mean myself)
Everytime I log on to any website, I have this thought that website asking me for my password and sending it back to the server is just basic security engineering. Why do all the websites send my plaintext password (at most over SSL) instead of hashing it with some javascript code first?
More posts by @Rivera981
3 Comments
Sorted by latest first Latest Oldest Best
Password over SSL is secure to atleast some point. And hashing the password with client side Javascript is good but doesn't enhance your security much. It's easily beatable.
The primary hashing algorithm must be hidden from eavesdrop for higher security. Because for better & higher security, passwords must be salted & these salt phrase must be hidden invisible to anyone.
Hope it answers your doubt.
I'll chime in here with an attempt at an answer: We don't see it b/c it hasn't become a big deal to those commissioning the websites and knowledge of alternatives isn't very public.
I've started using SRP (Secure Remote Password) protocol and as you can see from security.stackexchange.com/search?q=srp , there's a good amount of interest in the security realm of things, but nada on webmasters.stackexchange.com/search?q=srp .
Now, I'm not saying SRP is the end-all, be-all of security, but it addresses your concern and the concern of storing the password anywhere after being entered into the login form.
There's no perfect solution until Heisenberg's Uncertainty Principle is mastered from the point of entry to the point of reception, but better and better methods arise and take their time to become "standards".
JavaScript is client-side code that runs in browsers and hence is very defeatable, so there really is very little point in using it to encrypt passwords.
SSL is a cryptographic protocol that encrypts the data between clients and servers, so is considered sufficient without the addition of easily broken, visible client-side code. JavaScript may however be used to verify that a password meets certain standards of strength, such as the number of alphanumeric characters, case, and symbols as required by a server-side application/database.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.