Hash passwords before passing? (Web)

Question

Hash passwords before passing? (Web)

I read this about password security and mentioned that there are sites that have a "hash password before transferring"?

Now, considering that this is not using an SSL connection (HTTPS), a. it is really safe and b. if so, how do you do it in a safe estate?

Edit 1: (some thoughts are based on first answers)

with. If you make a hash password before passing, how do you use it if you only store a salted hash of the password in your user credentials?

e. Just check if you are using a secure HTTPS connection, is any of this necessary?

+3

passwords

wag2639 Jun 09 '10 at 19:06

source share

3 answers

, , . - , , . , , .

, - . , () , .

JavaScript SHA-1, . MD5, .

+1

Thorarin 09 . '10 19:16

"--", .

:

H _D S _D
S _R
K S _R
S _D S _R

The client computes H _D by stitching the user password using S _D
The client computes K by hashing H _D with S _P
The client encrypts all communication with the server using K

This scheme creates a random session key K based on the user's password.
A person in the middle could not get K without knowing the user's password (or H _D , which should be kept secret), and therefore can not impersonate a server.

+1

SLaks Jun 09 '10 at 20:11

source share

SLaks · Accepted Answer · 2010-06-09T19:13:36+0000

, (, , ).

, .

, "--".

Hash passwords before passing? (Web)

More articles: