0

I've following situation:

I've a password input on my page and a button. When the user enters his password and presses the submit button, a JavaScript function get's called:

function deleteAccount() {
    var password = jQuery('#password');
    .....
}

Within this function I do an AJAX request to my backend. All works great but I'm not that happy with sending the readable password over my AJAX function. So I'm looking for a way to strangify or twist the password before the submit.

Important is, that I need to re-strangify the password again within PHP:

$password = $_POST['p'];

So do you know a good and fast way to do this?

Mr. Jo
  • 4,946
  • 6
  • 41
  • 100
  • 1
    The words you are looking for is encrypt, obfuscate, encode, hash – mplungjan Mar 19 '19 at 19:30
  • 1
    AJAX is not any less secure than a regular POST. I recommend using an [SSL certificate](https://stackoverflow.com/questions/4101440/jquery-sending-password-via-ajax) to help protect data. – showdev Mar 19 '19 at 19:32
  • @showdev I already have a SSL certificate but I don't want to make it that much clear. – Mr. Jo Mar 19 '19 at 19:32
  • 1
    I see. Keep in mind that someone listening for passwords can also listen for hashed passwords and submit those to your server. You might find these posts informative: [Is it worth hashing passwords on the client side](https://stackoverflow.com/questions/3715920) and [Why almost no webpages hash passwords in the client before submitting (and hashing them again on the server), as to “protect” against password reuse?](https://softwareengineering.stackexchange.com/questions/76939) and [Plain text password over HTTPS](https://stackoverflow.com/questions/962187). – showdev Mar 19 '19 at 19:38
  • 1
    If someone can break your ssl certificate and get at your encrypted information, you have bigger problems than a plain text password. – Taplar Mar 19 '19 at 19:40
  • Also of interest: "In a Web Application, always hash on the server ... This isn't to say that you shouldn't hash in the browser, but if you do, you absolutely have to hash on the server too ..." -- [Salted Password Hashing - Doing it Right](https://crackstation.net/hashing-security.htm#properhashing) – showdev Mar 19 '19 at 19:49
  • 1
    And finally, there are a few suggestions on how to hash client-side here: [Simple way to hash password client side right before submitting form](https://stackoverflow.com/questions/34952392/simple-way-to-hash-password-client-side-right-before-submitting-form). – showdev Mar 19 '19 at 19:50

0 Answers0