Is it safe to hash the password before sending it to the server?

Is it safe to hash the password before sending it to the server?

Furthermore, if your application is depending on HTTPS to keep it’s content secure, then it’s useless to hash the password before sending it over HTTPS (i.e. if an attacker can unencrypt the data on the wire, you’re screwed anyways) No, in fact this would be a vulnerability.

How to send passwords securely over the Internet?

You can use SRP to use secure passwords over an insecure channel. The advantage is that even if an attacker sniffs the traffic, or compromises the server, they can’t use the passwords on a different server. https://github.com/alax/jsrp is a javascript library that supports secure passwords over HTTP in the browser, or server side (via node).

How does the client send the password to the server?

The client takes the users password, hashes it, adds the salt from the server and hashes the whole thing, before transmitting it to the server. Then it’s sent to the server which compares this hash to the hash (hash in the DB + salt).

Do you send passwords over HTTPS or HTTP?

Secure authentication is a broad topic. In a nutshell, as @jeremy-powell mentioned, always favour sending credentials over HTTPS instead of HTTP. It will take away a lot of security related headaches.

How is a hashed password used to verify a password?

And the hash function is deterministic, so you can always rehash a putative password and see if the result is equal to a given hash value. Thus, a hashed password is sufficient to verify whether a given password is correct or not.

Is there a good case for client side password hashing?

To sum up, there is no really good case for doing client-side password hashing, from Javascript code sent by the server itself.

Is it safe to transmit password in the clear?

You should never transmit a key or password “in the clear”. Not even over HTTPS. HTTPS is not impenetrable. In fact, many organisations can become a trusted MITM – not from an attack perspective, but to perform inspections on the traffic to implement their own security policies.