0

I'm currently looking at using bCrypt to encrypt the passwords of the future users in my project.

It looks extremely powerful, but here's my concern --

  • On the web site, create an account. The server will bCrypt your password and store its hash. test --> $2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u
  • Now to check your password, you simply check the return of BCrypt.Net.BCrypt.Verify("test", "$2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u") to ensure a match.

In the case of using a client-side app to work with this webserver, and the same data, do I need to send the password over the wire to have the server match it's validity? Is it feasible to have the client request the hash, and have the server send it to the client, that way the client can do the hashing and verify it?

Kirk Woll
  • 76,112
  • 22
  • 180
  • 195
The1nk
  • 702
  • 14
  • 25

1 Answers1

3

You can prevent the plaintext password from being sent over the wire by using SSL (e.g. https). The password will be plaintext but the connection will be secure, and only the server and client will be able to decode info in that connection.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Patashu
  • 21,443
  • 3
  • 45
  • 53
  • 2
    SSH or SSL? There's a BIG difference! – bbosak Mar 13 '13 at 02:46
  • @IDWMaster I do not know what the difference is, only that they're used similarly – Patashu Mar 13 '13 at 03:00
  • 2
    There's a big difference. SSL is the technology used in web browsers, to "secure" communications for "protection against eavesdroppers". It uses public-private key cryptography and relies on a trusted root authority to verify a site's identity. SSH on the other hand, is used for anything between encrypted file transfers, to secure GIT repositories, to remote access to Linux terminals. – bbosak Mar 14 '13 at 04:25