2

Can I convert a password entered into a form to md5 hash using javascript before sending it to my php validation page using javascript?

If yes, how?

Or is there an easier way to do it?

Thank you.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
BrokenCode
  • 951
  • 4
  • 19
  • 43
  • 1
    Yes, it is possible. But what do you expect of doing so? The only advantage is that only the hash instead of the plain password is transmitted but now the hash is the new password. – Gumbo Mar 04 '12 at 11:43
  • I don't want to save plain text passwords in my db (later). So I only need the md5 hash, whenever a user tries to log in I want to compare the md5(password) they entered to the md5 hash in the db. – BrokenCode Mar 04 '12 at 11:46
  • 1
    What’s wrong with hashing the password on the server side that actually *is* under your control? – Gumbo Mar 04 '12 at 11:48
  • Sorry I am a newb. You suggestion makes much more sense than what I was trying to do. But I am unsure how to convert the password that's entered into my form to md5 and then pass it on to the JS (on the same page). – BrokenCode Mar 04 '12 at 11:50
  • 2
    @PartisanEntity: If i'm comparing the client's hash against the server's...how's that any better than storing the passwords in plain text? If i break in, i have all the passwords -- i can just tweak my browser to send you the hash i just stole from your DB, instead of trying to figure out what password was used to create it. – cHao Mar 04 '12 at 11:51

5 Answers5

7

There are a few simple rules regarding password handling:

  1. To safely transfer passwords from the browser to your server, use SSL! Don't settle for anything less if you're truly worried about security.

  2. Perform password hashing on the server only. Hashing on the client side depends on JavaScript, which is not always there.

  3. It may seem obvious, but you can only reliably hash passwords with a password hash function, such as password_hash() (ships with PHP since 5.5) or via the password_compat library.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
2

Your intention not to send any plain password is absolutely commendable. But simply hashing the password on the client side and sending the hash instead of the plain password won’t help much. Because although it’s not the plain password that is used for authentication, it’s the hash that is now used instead. So an attacker that eavesdropped the communication would simply use the hash instead of the plain password. So this won’t help much, not to mention that a client won’t have JavaScript support.

However, it’s worth mentioning that there are authentication schemes that work that way (e. g. HTTP Digest Access Authentication Scheme). But there still needs to be a secure and trusted channel where the password is initially sent to the server. So HTTPS is still a must.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
1

You shouldn't do that anyway.

JavaScript can easily be disabled and you will be saving/manipulating plain password. Use PHP instead for that.

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
  • What database? There was no database mentioned. – Gumbo Mar 04 '12 at 11:44
  • @Gumbo: I assume it here. The ***point*** is that JS shouldn't be used for that for encrypting password when PHP is available. Updated for *you* anyway – Sarfraz Mar 04 '12 at 11:47
  • 1
    Thank you i didnt think of the fact that JS can be disabled. But how do I convert the password to md5 using php and pass it on to the js on the same page before sending to my php validation page? – BrokenCode Mar 04 '12 at 11:47
  • @Sarfraz Actually, PartisanEntity confirmed that hash should be stored in a database. :) – Gumbo Mar 04 '12 at 11:50
  • @PartisanEntity: See the PHP manual to learn more about it: http://php.net/manual/en/function.md5.php. Or ask another question *how to use md5 in php to save password* – Sarfraz Mar 04 '12 at 11:50
  • @Gumbo: That's mostly why we encrypt passwords :) – Sarfraz Mar 04 '12 at 11:51
  • @Sarfaz, thank you, I understand how that php function works. But how do I pass the variable to JS on the same page without reloading the page? (The whole thing is for ajax validation) Or did I misunderstand something here? – BrokenCode Mar 04 '12 at 11:57
  • @PartisanEntity: It depends on how you have structured it all. You should ask another question mentioning that and how you want it to be passed to same page. It can't be explained this way. There are quite some ways to pass variables. – Sarfraz Mar 04 '12 at 11:58
1

You need to convert the plain-text password to a md5 hash using PHP only. As Sarfraz pointed out, the user can easily disable JavaScript in their browser, rendering the md5 process useless. If they disable JS, the plain-text password might be sent to the database without encryption.

If you're concerned about data transfer security, buy a SSL certificate to ensure everything in the form is being sent over HTTPS.

hohner
  • 11,498
  • 8
  • 49
  • 84
0

You can but there it does not increase the security of you application.

Here is a JS implementation of the PHP md5 function http://phpjs.org/functions/md5

Petah
  • 45,477
  • 28
  • 157
  • 213
  • It doesn't just not increase security...it actually *decreases* security. It's almost as bad as having the password in plain text, as the hashed password is now *the* password. It makes things only marginally more difficult if i know the hash, as opposed to having the hash checked on the server -- in which case i need to figure out what password generated that hash. (And i haven't even mentioned the fact that if you're hashing client-side, the hashes would almost have to be unsalted...and suddenly it becomes easier to get the *original* passwords, if for some reason i want them.) – cHao Mar 04 '12 at 20:25