Best method for password encrypting and sending it over the net

Question

I am working on an android app (in JAVA) which will provide register/login functionality. The problem I'm facing is that I cant make out the best way to encrypt the password and send it over to a server.

Firstly,I thought of making a MD5 hash of the password and send the hash to the server. And when the user is to login again, he'll just input the password and the app will convert the password to MD5 hash and send it over. The server would then compare the hashes and authenticate the user.

But the problem here arises that if the network were to fall prey to a man-in-the-middle attack, it'd be very easy for the attacker to send the hash to the server to gain access.

Secondly, any encryption that would be used, should not be taxing on the android device. Also would it be possible to have a encryption that will not be decrypted at the server end, but instead use the same logic as the MD5 method mentioned above?

Lastly, I came across RC4 encryption and Secure Salted Password hashing. Didn't really understand them, but the authors made a big deal out of them. So are they any good for such use?

Do this on the server, properly, as I show here: http://stackoverflow.com/a/2861125/3474 — erickson, Jul 30 '15 at 13:47
That's 5 years ago. Is it still secure from every stand point? — Pratik Borole, Jul 31 '15 at 14:49

score 4 · Accepted Answer · edited Mar 17 '17 at 10:45

4

Never EVER EVER EVER EVVVEERRR!!!1! use md5 hashes for passwords. There are LOADS of resources explaining why this is a bad idea. The smart thing to do is just send the password over HTTPS/SSL to the server and let the server do the password hashing (with something like bcrypt or AES256).

SSL technology is very secure and will automatically encrypt the data being sent to your server. It's pretty unparalleled in terms of security and you should never try to "roll your own" with security.

Is MD5 considered insecure?

How weak is MD5 as a password hashing function

Why do people tell me this is a bad way to hash passwords

edited Mar 17 '17 at 10:45

Community

1
1

answered Jul 30 '15 at 13:24

d0nut

2,835
1
18
23

I did not understand send password to the server and let the server do the password hashing ,in my case I have JavaFX application. – Menai Ala Eddine - Aladdin May 14 '18 at 16:21
I did not understand send password to the server and let the server do the password hashing ,in my case I have JavaFX application. – Menai Ala Eddine - Aladdin May 14 '18 at 16:23
1

@MenaiAlaEddine can you explain a bit further what your issue is. It might make more sense for you to create your own question. If you ping me with a link afterwards, I'll take a look for you. – d0nut May 14 '18 at 17:23

Best method for password encrypting and sending it over the net

1 Answers1