0

Possible Duplicate:
How to calculate md5 hash of a file using javascript
Can I convert password to md5 in javascript before sending to php page?

Is there any function or way to encrypt the string using JavaScript as hashing in php? I am asking user to set there password and i don't want there password to come at server in string format before php apply hashing on that.

Community
  • 1
  • 1
Raul
  • 579
  • 1
  • 5
  • 17

2 Answers2

6

md5 is an hashing method, not an encryption method. It is a common algorithm that could be implemented in any language, so I'm sure a JavaScript version exists out there.

However, your logic is flawed. Why do you want to hash the password on the client side? Then the hashed password can be captured en route to the server, which is even worse than if the server hashed it alone. This offers no protection whatsoever.

On a related note, md5 is a very insecure hash. Use bcrypt.

The difference between hashing vs. encryption is that the former creates a digest whereas the latter creates encrypted content that can be decrypted. A hash digest cannot be converted back to the original data because it is lost (on purpose). Hashing is used for authentication, encryption for secrecy.

To expand on the fact that client-side hashing is at most as effective as server-side hashing, think about the fact that authentication is done when the hash digest is compared to the value stored in the DB.

The value that you store is the md5 of the original password. To authenticate, you have to receive the password, use md5, and then compare it to the digest in the DB. This means md5 must be called at most one time. If you want to call it in JS, then it will not be called in php. This means that if someone intercepts the md5 it's just as effective as if they intercepted the original password because they can just post the md5 to your server and no additional hashing is done.

If you also did an md5 hash on the server side, that wouldn't make any difference because the same unhashed value (relative to the PHP operation) is received. In point of fact, it is less secure because repeating the same hash increases the probability of a collision.

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
  • then what would be the best way to secure it? – Raul Feb 01 '13 at 06:01
  • 1
    [**Salt**](http://en.wikipedia.org/wiki/Salt_(cryptography)) it and [**hash**](http://en.wikipedia.org/wiki/Hash_function) it server side. If you're really worried, use [**SSL**](http://en.wikipedia.org/wiki/Secure_Sockets_Layer). – thordarson Feb 01 '13 at 06:02
  • 1
    @RahulJha Use `https` for all of your client/server communication. Use a strong hashing algorithm such as `bcrypt` on the server side to prevent it from being compromised there. As long as you use `https` and `POST` to send the password, you've done all you can do. You can't stop someone malicious from standing behind the other person and watching them type in their password, after all. I'd be much more worried about session fixation, session hijacking, or CSRF than I would be about compromised passwords – Explosion Pills Feb 01 '13 at 06:05
1

The only proper answer to this is: do not use md5 to encrypt passwords

If you're worried about transferring plain text passwords over an unencrypted connection, use an encrypted connection.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309