-1

I'm developing an application that requires a user to login. On the server side I'm using PBKDF2 algorithm to hash passwords, but currently I'm sending password to the server as a plain text - String. And I do not know how change it. Now it is prone is sniffing. What should I do to make this more secure?

ofca1234
  • 53
  • 7
  • This question is probably better fit for [security.stackexchange.com](https://security.stackexchange.com/) – Ben Apr 06 '18 at 08:43

1 Answers1

-1

I've dealt with the same problem, here's how I solve it

the client hash the password (SHA3-512) and sent it to the server, the server get this and hash it again using random and changing salt function, all connection is done via SSL and with POST methods

user enter 1234 -> client send hduhd73y743fhiuj4u -> server store on the database 37y487f.f4u4uj4o3i5885 (not actual values)

by this approach, the server will never know the actual password, so a man in the middle will can't get this actual password, keep in mind it doesn't stop a man in the middle to imitate this hashed password and sent it to the server to login as the user

shahaf
  • 4,750
  • 2
  • 29
  • 32