I have a registration page which has the following password entry control:
<input type="password" />
What is the best way to send this password to the server and then save it into a database for later comparison when login in?
Asked
Active
Viewed 114 times
1
Pascal MARTIN
- 395,085
- 80
- 655
- 663
oshirowanen
- 15,297
- 82
- 198
- 350
-
I did a quick search and found nothing obvious from the first few results which showed how to not send passwords in the form of text from the client to the server. I just saw something about https, but that is not an option at the moment. Please feel free to down vote if it makes you happy. But personally, I don't think you read my question properly. If we could down vote comments, I would not think twice to down vote your comment. So please, don't hold back the down votes. ;) – oshirowanen Mar 26 '11 at 13:59
-
There is NO good way to send password to a server, you have to hash it and store the hash! – Mesh Mar 26 '11 at 14:24
-
Without a "name" attribute on that `input` element, nothing will get sent anyways. – Marc B Mar 26 '11 at 14:44
-
@Adrian: Gee, then how do login systems work? Depending on the client to do the hashing (and exposing your salts and hash algorithms) is really secure... – Marc B Mar 26 '11 at 14:45
-
Sorry I read the question too quick and interpreted it as about hashing and storing passwords.... – Mesh Mar 26 '11 at 16:51
3 Answers
3
The best way is to use HTTPS. HTTPS protects traffic from client to server and was designed specifically for this. You dont need to encode anything at this level. @Adrian link post is about storage of the passwords in a database and you will get there useful info. Just remember not to save the passwords directly, save either hashes either heavily encrypted versions.
Elzo Valugi
- 27,240
- 15
- 95
- 114
-
Is https the only way to securely send passwords from the client to the server? – oshirowanen Mar 26 '11 at 14:01
-
the other way is not to send them at all. using oauth or openid or other authentication system that don't involve a password. – Elzo Valugi Mar 26 '11 at 17:31
0
As @Elzo suggested, HTTPS must be used when passwords and privacy data are involved. HTTPS is useful for network data transmissions. Now, about password storange security... the password must be saved using oneway hashing algorithm like md5 (you can use the md5() function in php). Don't store clean passwords in the db. Then, when the user will log in, the server side script will receive the password and it will check the corrispondence between the md5("userpasswordinput") sended by user through the html form and the value stored in the db table (previosly encoded as md5).
bitfox
- 2,281
- 1
- 18
- 17