Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Ilya Pavlov2015-10-18 18:26:09
PHP
Ilya Pavlov, 2015-10-18 18:26:09

Where should you start encrypting your password?

When registering/authorizing, the user enters a password. This password is then sent to the server for verification/saving. How would it be wiser: to encrypt the password before sending it to the server, or already there on the server to accept it "as is" and then md5'it (for example)?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
V
Vladimir Martyanov, 2015-10-18
@PiCoderman

https is smarter.

Report
A
Andrey Sanych, 2015-10-18
@mountpoint

Naturally, encrypt on the server + https. Otherwise, the attacker will calmly look at the encryption algorithm in JS.

Report
I
Ivanq, 2015-10-18
@Ivanq

As Vladimir Martyanov already told you , https is better. If absolutely nothing, I will explain why it is impossible neither so nor so.
Suppose we encrypt on the server:

_______                 ______             _________
  |     |                /      \            |       |
  |     |               /  #  #  \           | # # # |
  |_____|     ------->  |  ____  |  -------> | # # # |
  /     \    password:  \ /    \ /           | # # # |
 /_______\ "mypassword"  \______/            |_______|
   Client               Ugly hacker           Server

If on the client:
______                _________            ______
 /      \               |       |           /      \
/  #  #  \              | # # # |          /  #  #  \
|  ____  |   ------->   | # # # | -------> |        |
\ /    \ /   password:  | # # # |  login   \ \____/ /
 \______/    "hismd5"   |_______| success!  \______/
Ugly hacker              Server          Smiling hacker

Report
E
eri, 2015-10-19
@eri

I wonder why *CHAP technologies are not used in the web. This imposes a restriction on the server that it will store passwords with reversible encryption, but at the same time protects against wiretapping.
Even Https is not a panacea - remember avast, which replaces the root certificate of the protected system, if an antivirus can do this, then any trojan can compromise https on the client.
I would very much like to see an implementation in which the password was encrypted on the client in one way, transmitted to the server, encrypted there with the server salt, and the hash of this password would be stored in the database. During authorization, the client makes the first hash, salts it with the salt received from the server, and transfers it to the server. the server salts the password in the database with the second salt, and the received authorization hash with the first salt. Compares hashes. With this approach, the open password will be only in html form and there is a restriction on the choice of hash functions. but with a rather complex encryption algorithm on the server, it becomes more difficult to guess the password and reuse the hash.
It remains to add to this a method that allows you not to store the password in the input field as you type ...

Similar questions
G
GRO242019-08-30 15:23:29
Why doesn't Bootstrap 4 align blocks? 2Reply
S
sinout2017-04-05 02:08:24
Does it make sense to use Immutable along with React? 4Reply
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply
P
Pavel2014-05-18 14:34:20
How to set up Chrome DevTools Autosave on windows? 4Reply
A
Andrei1penguin12021-04-01 00:37:45
Why don't losses decrease? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question