The obvious answer is hashing. I am thinking of using SHA512 to hash the salty password.
My question is this: where should I specify the password?
I thought of two ways:
(1) I use it in the application. This will mean that the hash is being sent to the server. Then the server checks it for the stored hash and registers the user if the hashes match.
(2) I use it on a server. The hash is checked in the same way.
My problem is that I feel that the password is likely to be intercepted. In (1), a hash can be extracted by a man-in-the-middle attack. Now, an attacker can simply use this hash to access user information.
In (2), an attacker can intercept a plaintext password and use it to access a user account.
Is the solution I need for a hash on both sides? A salt hash on the client, and then a server-side hash again?
I am not sure how to proceed. I do not want to access user information.
If you can also indicate the benefits of your proposal, I would be grateful.
source
share