Password hashing at client browser

 

What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password?

EDIT : assuming HTTP is used (not HTTPS)

Use javascript to calculate the hash. See this for an example on how to calculate SHA-1 hashes in JS.

Beware that if you make yourself dependant on Javascript, your system will fail as soon as someone has JS disabled. You should use HTTPS if this is a concern to you, which has its own setbacks (eg certificates cost money if you want them to be immediately accepted by browsers.)

Try using this jQuery encryption plugin. Out of curiosity, what's wrong with using SSL/HTTPS and encrypting at the server side?

Not all people have JavaScript enabled in their browsers and even the idea of sending hashes on a plain-text channel I think is not secure enough.

I would recommend you to consider a SSL secured connection.

链接地址: http://www.djcxy.com/p/21556.html

上一篇: 安全密码散列

下一篇: 在客户端浏览器进行密码散列