Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does it make security sense to hash password on client end

If you were to hash a user's password prior to sending it across the line and leaving it in plain-text in memory, would this improve the security of the application?

I would assume this mitigates a small fraction of vulnerabilities by protecting the data stored in the clients memory. But really if we're worried about someone reading the client's memory there are probably bigger problems that we can't address.

There's something that doesn't feel right about hashing on the client's end.

Is password hashing on the client end a common practice? Are there any other advantages or disadvantages to doing it?

EDIT: Given the communication channel is secure (SSL). Under what conditions would it be acceptable and worthwhile to use such an approach. I'm asking this because it was suggested by a "security professional" that I use such a scheme during some application functions.

like image 459
IaCoder Avatar asked Sep 04 '09 16:09

IaCoder


People also ask

Should passwords be hashed on client side?

Hashing passwords makes it possible to use them for authentication, while making it hard to reconstruct the original password. Hashing passwords on the client may be beneficial: even though it does not protect against attackers, it does protect against accidental mistakes.

Should I hash password at front end?

The hashing should be done at the back-end. The back-end is under your control, so you can enforce that the hashing is taking place as it should.

Is a hashed password secure?

Whereas the transmission of the password should be encrypted, the password hash doesn't need to be encrypted at rest. When properly implemented, password hashing is cryptographically secure. This implementation would involve the use of a salt to overcome the limitations of hash functions.

Does hashing a hash make it more secure?

ANY encryption, hashing or other obfuscation is far better than plaintext! The problem with sha1 is that its fast, so its fast to generate hashes to crack against. Salting helps a lot, but if your server is compromised and you have your salt hash stored as a string somewhere, there goes that advantage...


1 Answers

No.

When the client sends something, whether it is P or H(P) or H(H(P)) anyone who intercepts this can simply resend the exact same thing, thus making any function like this equivalent to using the password directly.

That's why you should use a nonce; The server can give out some random garbage k and the client will calculate H(P,k) and send it to the server. HMAC is a popular implementation of this method.

Provided the server never accepts the same nonce twice, this is secure against a replay attack.

like image 56
geocar Avatar answered Oct 04 '22 22:10

geocar