Best Practice - Encrypt password even when sending through https?

Question

I apologize if this has been asked before but I am hoping for an up-to-date answer.

I am very new to server-side security and I want to do this correctly.

My question: Is it best-practice to encrypt a password that is being sent over HTTPS?

I have seen posts that recommend using Javascript to encrypt a password before it is sent in the POST variables but I am not sure if this is necessary when using HTTPS.

Please note: I have every intention of hashing & salting the password when it is stored in the database.

Answer 1

If using HTTPS, there isn't much of a reason to encrypt data sent between client and server. HTTPS does that for you, so any further encryption is redundant.

The only reason I can think of to encrypt the password in advance would be to hash it client side to avoid having the clear password persist in server memory or logs. This is somewhat paranoid, and probably not of much use in the real world. Logs should never record passwords regardless, and if someone has access to your server memory, you've got other issues to contend with besides for password encryption.

Also, encrypting the password in the client allows others to see how the encryption/hashing is being performed. IMHO that is more of a security risk than having it reside in server memory for a few ms.