Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey Yarkov2016-01-11 16:46:14
JavaScript
Alexey Yarkov, 2016-01-11 16:46:14

How to securely transfer the password?

I am writing a chat on Node.js for self-education. For hashing user passwords, both on the server and on the client, I use https://www.npmjs.com/package/crypto-js
The algorithm is as follows:
The user enters a username and password and presses enter
We encrypt the password on the client like this:

<script type="text/javascript" src="path-to/bower_components/crypto-js/crypto-js.js"></script>
<script type="text/javascript">
    var password = $('#pass').val();
    var encrypted = CryptoJS.SHA512(password );
    // .. шлем пароль и логин на сервер
</script>

On the server, we compare it with a hash from the database
, etc.
Isn't that right? Or to score and send in the old fashioned way, and hash and compare on the server?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
R
Rsa97, 2016-01-11
@yarkov

The first option, the most correct one, is to register the user only via https.
The second option is to use asymmetric encryption, generate a pair of keys for each session on the server, transfer the public key to the client, encrypt data on the client with this key, and decrypt it on the server with the private key.

Report
A
Andrey Dyrkov, 2016-01-11
@VIKINGVyksa

So you need to hash only on the server, why on the client?
You simply send the password "pass243" to the server and hash it on the server with your own algorithm and check it with the one hashed in the database. It matches up ok. Do not store anything on the client, otherwise they will hack as there is nothing to do)

Report
N
Nicholas, 2016-01-11
@healqq

There is no point in hashing the password on the client.
Use an encrypted protocol (https).
And on the server, already count the hash (preferably with some kind of salt and compare / save).

Report
A
Andrei Vurtatov, 2016-01-11
@Vurtatoo

There is no point in hashing the password on the client.
You need to use the https protocol, which will protect against a man-in-the-middle attack.
Store the password hash on the server, preferably compare and save it with a salt.
For an attacker, the hash calculated on the client will be a normal password.

Report
R
res2001, 2016-01-11
@res2001

You can implement something like MSCHAP2 wrapped in SSL with a modern hashing algorithm. When exchanging messages, either use the same SSL channel, or generate encryption keys during the authentication process and encrypt all messages.

Similar questions
S
Sergey Burduzha2021-03-25 12:00:33
Why is a fetch request not working? 3Reply
A
AUN2015-04-12 16:14:36
yii2 listview. How to filter? 2Reply
B
Boris [A-Z][a-z]+2019-09-17 17:30:13
Learn more about stored procedures? 4Reply
S
sanex33392015-04-23 18:13:09
How to fix scroll in navigation bar area in ios safari? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question