Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sending password safely from the front-end to the back-end using MD5

Tags:

security

passwords

https

cryptography

I've encrypted a password field in my DB by MD5, and I handle it encrypted in my back-end, but when user types their password in, it is in plain text.

Is there a safe way to pass the password from the front-end to the back-end? MD5 doesn´t have sense in this case...

NOTE: I'm using HTTPS and the POST Method.

like image 409
Elias MP Avatar asked Jun 08 '16 11:06

Elias MP

People also ask

Should I hash password backend or frontend?

You shouldn't crypt passwords. You should hash them, so you could not decrypt them later (nor an attacker). And the hash step is always done on the backend, since doing it on client-side would allow an attacker which got access to your hashes a method to login on every account.

Is it safe to send password over https?

Quick Answer:It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.

How do passwords pass securely from server to client?

This is usually overcome by encrypting the communication between the user and the server. The most common form of encryption is the Transport Layer Security (TLS) standard or the older SSL standard (Secure Socket Layer).

1 Answers

You can think about the following steps to protect the password:

  1. Use HTTPS preferably with HSTS to protect the passwords during transport;

  2. Use a password hash such as bcrypt instead of MD5 to protect the password on the server.

    • HASH passwords with salt;
    • use a high work factor for bcrypt.

MD5 is not the best way to hash. MD5 is not considered secure anymore.

MD5 is not encryption; don't encrypt passwords, hash them, encryption can be decrypted, hashing cannot be reversed.

like image 58
Tom Avatar answered Sep 22 '22 08:09

Tom
Sign in to Comment

Related questions

Is there a "safe" subset of Python for use as an embedded scripting language?
In which languages is it a security hole to use user-supplied regular expression?
SSLContext initialization
Is Microsoft's GUID generator cryptographically secure
HTML.Encode() - What/How does it prevent scripting security problems in ASP .NET?
How to prevent NFC tag cloning?
How safe is information contained within iPhone app compiled code?
Moving old passwords to new hashing algorithm?
Is ALLOWED_HOSTS needed on Heroku?
How does a 7- or 35-pass erase work? Why would one use these methods?
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
SSL Java java.io.IOException: Invalid keystore format
require('https') vs require('tls')
cleaning $_POST variables [duplicate]
How to calculate password complexity [closed]
Password does not match after being encrypted using crypt() and password_hash() function
Symfony2 create own encoder for storing password
Should autocomplete="off" be used for all sensitive fields?
Spring AOP: how to get the annotations of the adviced method
Play framework security issue regarding cookies and sessions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!