Menu
I've encrypted a password field in my DB by MD5, and I handle it encrypted in my back-end, but when user types their password in, it is in plain text.
Is there a safe way to pass the password from the front-end to the back-end? MD5 doesn´t have sense in this case...
NOTE: I'm using HTTPS and the POST Method.
409
You shouldn't crypt passwords. You should hash them, so you could not decrypt them later (nor an attacker). And the hash step is always done on the backend, since doing it on client-side would allow an attacker which got access to your hashes a method to login on every account.
Quick Answer:It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.
This is usually overcome by encrypting the communication between the user and the server. The most common form of encryption is the Transport Layer Security (TLS) standard or the older SSL standard (Secure Socket Layer).
You can think about the following steps to protect the password:
Use HTTPS preferably with HSTS to protect the passwords during transport;
Use a password hash such as bcrypt instead of MD5 to protect the password on the server.
MD5 is not the best way to hash. MD5 is not considered secure anymore.
MD5 is not encryption; don't encrypt passwords, hash them, encryption can be decrypted, hashing cannot be reversed.
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
