I have a web application that can use both HTTP and HTTPS (depending on what the user chooses). When a user registers, should their password be hashed on the client side then passed to the server or should the plain text be passed to the server and then hashed.
I believe packet sniffing tools can be used to capture the password if using HTTP, so would it be better to hash it on the client side?
Client or Server side password hashing when a user registers (using HTTP)
431 Views Asked by ToDo At
1
There are 1 best solutions below
Related Questions in HTTP
- My get request for http is very slow
- Angular multiple http requests chrome android
- HttpRequestContext vs HttpContext
- Converting curl command to iOS
- getting google contacts using shuttlecloud
- Node.js http.get example
- How can hide url value in php
- Symfony2 - handle HTTP/Entity user access restrictions
- Angular http interceptor responseError doesn't have statusText
- Which of the following hostnames are valid?
- Send Http request at specific time
- Rails - read file from POST request / octet-stream
- Python - Cookies & BeautifulSoup
- Npm requests stopped by home router
- POST Android json data
Related Questions in SECURITY
- Can MVC.NET prevent SQL-injection at razor or controller level?
- Forgotten password reset page: should the user need to enter a username/email as well?
- Dynamic roles list in CustomAuthorize ASP MVC
- Access roles from multiple applications
- How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server
- Evernote Web Clipper and Content Security Policy
- Invalidate user credentials when password changes
- Spring Boot MVC non-role based security
- Correct Captcha behaviour on error
- Is macro more secure than static const if I don't want someone to know or change the hardcode value?
- In Android, ensuring only pre-decided users can only use the app
- Authenticating plain text passwords against md5 hash in DB using Apache Shiro
- Symfony2 - handle HTTP/Entity user access restrictions
- Client side computation without exposing code?
- searchable row level encryption using java?
Related Questions in HASH
- Trouble validating md5 hashed password with randomly generated salt?
- Why k and l for LSH used for approximate nearest neighbours?
- PHP password_hash() / bcrypt
- Unique hash/index for time interval
- Order-independent Hash Algorithm
- git hard reset - what am I doing wrong?
- Java HashMap, hashCode() equals() - how to be consistent with multiple keys?
- Create hash from variables in loop
- Hashing integer coordinates of different sizes
- Xcode salting and hashing a password
- Is there a way to generate a Guid from a list of Guids?
- Path reconstruction with Hashing?
- Creating a Hash with keys from an array and empty arrays as the values
- How to read data from a different file without using YAML or JSON
- change value in hash using an array of keys in ruby
Related Questions in HTTPS
- HTTP to HTTPS mapping using proxy servers
- How to fix WordPress HTTPS issues when behind an Amazon Load Balancer?
- KeyStore file is not found in jar, although present in jar
- How do I accept a self-signed SSL certificate using iOS 7's NSURLSession
- HSTS: Should I force user to use HTTPS on load balance or web server?
- squid sslbump works with private connection warning
- javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:
- https post request using httpClient and cert.em
- Added SSL certificate to website, everything runs fine except if someone types https://example.com
- Using HTTPS or encrypt response myself
- redirect https to http for content filtering
- iOS9 ATS: what about HTML5 based apps?
- How to pass https url to a class' constructor that requires URL object as parameter in Java?
- Cannot Read XML file from https:// site
- Problems connecting via HTTPS/SSL through own Java client
Related Questions in PASSWORD-HASH
- Trouble validating md5 hashed password with randomly generated salt?
- How are Joomla 3 passwords encrypted?
- Django Rest Framework - serializer code not executing
- How to verify an hashed password
- Client side password hash versus plain text
- Reset password don't work when login php
- php password_hash and password_verify looked all over still doesn't work
- Check drupal 7 password to C#
- Rfc2898DeriveBytes how to verify the password which is store in database as hash value
- Client or Server side password hashing when a user registers (using HTTP)
- php password_verify doesn't work
- Password does not match with hash algorithm (SQL Server)
- ASP.NET: SHA1 + Salt Password Hashing on Multiple Servers
- Salted Password Validation in PHP
- Hash passwords with bcrypt in the database or in php code?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Would it be better to hash it on the client side?
No, don't hash username/password on the client side, it doesn't make any sense.
If the web application is using HTTPS, the register request is already enctypted, which means hashing password is redundant.
If the web application is using HTTP, then everyone who is sniffing in the network can see all HTTP packets of this web app, which means:
In summary, once web application is using HTTP, nothing is secure.