Protocol for Using Salt Password Hashing

Question

Protocol for Using Salt Password Hashing

I am trying to understand what information is needed to send in a web application. I basically have a web application running on a web server, a database that has a user table with a hashed password and salt, and, of course, a web client with javascript enabled.

When a user logs in to the system, the user name and password are entered on the client side. I want to know what information has been sent. Does the web client send the password in plain text or use javascript to hash the password WITHOUT salt and send the hased result? Or does the client receive the salt in plain text from the server, and then the client sends hased password + salt?

What is the best way to hash and salt hash? Is MD5 okay as a hash? How hash (password_plain_text + salt) vs hash (hash (password_plain_text) + salt), where + is the string concatenation?

+3

javascript hash salt

user670800 Jun 08 '11 at 2:55

source share

3 answers

JavaScript , , . JavaScript, , .

, , , , JavaScript. , JavaScript .

.

, . , ( ), , .

, SHA256. Google " md5 collisions", , MD5 ( ).

+3

Blender 08 . '11 3:02

If you really want your connection to be secure, use SSL. If your data is not critical, enter your password on the server. You can hash it on the client, but your hashed password and salt can be compromised in any case, so the easy password can be redirected.

+3

bjornd Jun 08 '11 at 3:02

source share

Sean Vieira · Accepted Answer · 2011-06-08T03:10:59+0000

When the browser sends the data that you have provided, it sends it in a format that most likely complies with the RFC (s) requirements for the protocol that it exchanges with the server.

In the case of an HTTP connection, the username and password are sent in clear (that is, in plain text) to your web server.

HTTPS , , HTTPS ( ), - , . , , - clear.

-, . , , ( ). , - - .

, -, ( - ).

... ( SHA- ) ( , ). , () . , , , , .

Protocol for Using Salt Password Hashing

More articles: