1

What is the best way to login a user:

1) Get first the hash of the password with javascript, send it to the server and then compare it with the hash stored in the database.

2) Send the password in plain text to the server, get the hash and then compare it with the hash stored in the database.

xRobot
  • 25,579
  • 69
  • 184
  • 304
  • [What Have You Tried?](http://whathaveyoutried.com) – John V. Jun 17 '12 at 16:58
  • Duplicate: http://stackoverflow.com/questions/768268/how-to-calculate-md5-hash-of-a-file-using-javascript – craig1231 Jun 17 '12 at 16:59
  • 5
    If you salt your password hashes (as you should) then you should do the hashing server side, otherwise the salt has to be accessible to your javascript making it less secure. And you should use SSL for all login screens, so that the password isn't sent in plaintext – Mark Baker Jun 17 '12 at 17:00
  • 1
    @xRobot what about to use both methodes ? – HamZa Jun 17 '12 at 17:02
  • I agree with @HamZaDzCyberDeV. Both methods can be applied at one time. – madfriend Jun 17 '12 at 17:04
  • @xRobot ofcourse when the hash land on the server you aply a second hash with salt and then compare ! – HamZa Jun 17 '12 at 17:05
  • 1
    If you have to use insecure connections, here is the procedure I have used in the past: 1) When the user loads the login page, create a pair of random salt strings and store them in a PHP. Send these to the client side in hidden, un-named inputs. 2) In Javascript, use the salts to hash the user entered password. Send **only** the user name and the hashed password back to the server. 3) Use the salts stored in the session to create a hash and compare with the user supplied string, then delete the salts from the session and generate new ones if necessary. – DaveRandom Jun 17 '12 at 17:07
  • The disadvantage of this is it requires the passwords to be stored on the server side in plain text or some form of reversible encryption. – DaveRandom Jun 17 '12 at 17:09

1 Answers1

3

Get first the hash of the password with javascript, send it to the server and then compare it with the hash stored in the database.

No. If you do this then the password to be input to the server is the same as the password stored in the database and it is insecure.

Send the password in plain text to the server, get the hash and then compare it with the hash stored in the database.

No. Use SSL so the password is sent using public key encryption. Then hash it on the server (using a salt) and compare it to the password in the database.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • What is the best way without using SSL ( I can't use SSL for simple websites. ) ? – xRobot Jun 17 '12 at 17:15
  • The best way without using SSL is exactly the same only with the passwords being send in plain text. (Nothing is stopping you from using SSL for simple websites though, just for el cheapo websites). – Quentin Jun 17 '12 at 17:25