Should I Hash via PHP or JavaScript?

Question

I am trying to create my own login system and I was wondering what is the best way to hash a password?

Should I just use the function from PHP SQL hash('SHA512' password) or should I use JavaScript for it?

I have already made the system to hash via PHP SQL with SHA512, but if it's more secure with JavaScript I wouldn't mind shifting.

So what I am asking for is, what is the pros and cons for hashing with JavaScript and for PHP.

And could be cool if you could tell me too what it means to SALT, haven't really understood what it exactly means, and why I should do it.

And yes, I know there are lot's of good login system I can just copy/paste, but this is mostly for understanding how it all works and getting some experience.

Answer 1

There's the obvious concern of the user might have JavaScript disabled. This can be "resolved" by having your encoding system prepend something that can't be inserted, such as \x01 or a similar non-printable character. In this way, your server can check if the first character is \x01 and if it isn't then it can apply whatever JavaScript is supposed to do.

So with that issue resolved, you need to also consider that anything in the JavaScript is plainly visible. Any malicious user can easily read your JS source code and find out exactly how the encryption is done. Therefore, you can't rely exclusively on JavaScript to encrypt your data. You must also use server-side code to further secure it.

On the plus side, anything that prevents passwords from being sent as plain text via HTTP is a good thing, however that's what SSL (https://) is for.

So basically, encrypting in JavaScript can be seen as "poor man's SSL", however it doesn't really provide any more security than what the server can do.