Stooney Posted June 2, 2009 Share Posted June 2, 2009 I'm working on a website where users passwords are stored in a sha512 hash. I don't want to send the password as plaintext when logging in. Does anyone know of a javascript library available that will hash the password on the client side? If not, any ideas on how I should secure the password before sending it to the server? Quote Link to comment Share on other sites More sharing options...
Axeia Posted June 2, 2009 Share Posted June 2, 2009 Ummm, that's not adding security at all.. it merely creates a dependency on javascript to be able to use something. Which is something you want to avoid! I'd say you just don't! As anything serverside needs data send first (which isn't hashed) and anything clientside pretty much means making your salt public? That's reducing security instead of adding. Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 3, 2009 Share Posted June 3, 2009 Just don't do it in JavaScript! Quote Link to comment Share on other sites More sharing options...
Stooney Posted June 3, 2009 Author Share Posted June 3, 2009 The worst thing one can do is send a plaintext password to a server. Hashing it client side would do nothing but add security. If they can crack a sha512 hash then they deserve it. If a hacker gets ahold of the hash I wouldn't be nearly as concerned as if they got ahold of the plaintext password. You two are silly (I'm not saying it won't be double checked on the server side, this is just for legit users security) Quote Link to comment Share on other sites More sharing options...
Psycho Posted June 3, 2009 Share Posted June 3, 2009 The worst thing one can do is send a plaintext password to a server. Hashing it client side would do nothing but add security. That is what SSL is for. Hashing the password with JavaScript is just plain dumb. What happens for users without JavaScript enabled, such as peple using some hand-held devices, blind people using screen readers, or just anyone who does not want JS enabled for security reasons. Then you have to account for the fact that there are many different browsers out there and some have peculiarities on how they interpret JS. Are you willing to test every version of every browser to make sure your JS works correctly in each one? As a rule, using JavaScript should never be a requirement for a site (there are a few exceptions). Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 3, 2009 Share Posted June 3, 2009 That is what SSL is for. Hashing the password with JavaScript is just plain dumb. What happens for users without JavaScript enabled, such as peple using some hand-held devices, blind people using screen readers, or just anyone who does not want JS enabled for security reasons. Then you have to account for the fact that there are many different browsers out there and some have peculiarities on how they interpret JS. Are you willing to test every version of every browser to make sure your JS works correctly in each one? As a rule, using JavaScript should never be a requirement for a site (there are a few exceptions). mjdamato, you can always check the length of the password. A sha512 produces a 128 length string right? I don't suppose someone would have a password that long. But you do have a point. chrisdburns, using JavaScript for security is plain dumb. You should just use it for GUI and effects. I mean you're introducing complexity that serves no real purpose. Learn to KISS! Quote Link to comment Share on other sites More sharing options...
Stooney Posted June 4, 2009 Author Share Posted June 4, 2009 Alright, SSL it shall be then. Thank you all. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.