0

How to Encrypt Client side login before sending to server ?

user705956
  • 9
  • 2
  • 1
    @user705956 - You're going to have to be a lot more specific to get useful answers =) – Rob Apr 13 '11 at 11:58

4 Answers4

5

You should use HTTPS.

Building security by yourself is hard, and you are very likely to get it wrong.
You should stick with the systems that the experts use.

On the server, remember to hash and salt the passwords, preferably using bcrypt.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
3

There's one very simple solution. SSL. Ensure that all your login activities are served via https:// URLs.

The way that you do this, at least the "setting the server up" part vary depending on what web server you're using. You'd be better off asking a question of that nature on http://www.serverfault.com/

Rob
  • 45,296
  • 24
  • 122
  • 150
1

You can only use https - any client side encryption would be viewable on the client and therefore useless. There is SO question on this: password encryption at client side

Community
  • 1
  • 1
detaylor
  • 7,112
  • 1
  • 27
  • 46
0

You should really use HTTPS, but if you can't use HTTPS then the alternative is to create a hash.

  1. Server generates a random 'salt' for the session
  2. JavaScript on client-side creates a cryptographically secure hash of the user's password and the salt.
  3. Hash is sent to the server, you can then retrieve the password from the database, create a hash using the salt for the session and the password from the DB and check if it is the same as the one sent from the client. - If it is then the password is a match.

An example of using JavaScript to protect passwords: http://pajhome.org.uk/crypt/md5/auth.html

Mark Keats
  • 1,390
  • 8
  • 15
  • And make sure that the salt cannot be reused. Also, this won't help; the attacker can insert his own Javascript. – SLaks Apr 13 '11 at 12:11