Best practices for hashing a password without using SSL

 

I know this question sounds like it might already be answered but stay with me. I have a website that needs users to sign up and log in. In this process, lets take sign up the user would provide a username and password, the system will check the information and then POST to itself for the PHP script to salt and hash the password before storing it in the database.

Now i thought this was safe, salt and hashing a password is always best practice but recently i thought about how this is happening, the data has to be sent to the server before it can be hashed up and because i don't use SSL the username and password are sent unencrypted, so would i be right in assuming that this information would be sent in plain text?

If so, this isn't good at all. So the only two ways i can see about getting through this is either:

  • Using SSL and securing the connection between the user and the server and encrypting the data being sent.

  • Hashing the information before it leaves the user, this could be done using Javascript

    • I want to implement the second but I'm not sure of how to do this. What would be the best practise for this?

    I was thinking before the information is sent a AJAX script will take control of the data and check to see if first the information is what we're looking for and then salt and hash the information.

    Are there any security implications on this implementation I have described?

    Thanks for your time.

    Using SSL and securing the connection between the user and the server and encrypting the data being sent.

    Yes, do this.

    Hashing the information before it leaves the user, this could be done using Javascript

    This will not secure the data. Instead, it would effectively change the secret data to be sent to the server to the hashed version of the password. That would still be sent as plain text and attackers could sniff it and know exactly what to send.

    您可能对Secure Remote Password协议感兴趣。

    链接地址: http://www.djcxy.com/p/21594.html

    上一篇: 如何“减少”凭证加密?

    下一篇: 不使用SSL散列密码的最佳做法