-1

Another question about client or server side password hashing, I know. After reading many other post about this topic I'm still a little confused and not completely sure what is the best, because I read many contrasting opinions.

Using a SSL certificate, that is what I'm gonna do, I came to conclusion that it's not worth hash the password in javascript.

But anyway rather than send the password in cleartext to the server would make sense 'disguise' the password in javascript, (for example replacing letters and numbers with other based on a customized pattern), and then re-build the original password in the server using the same pattern, then hash the password and store it in the db or this would not add much more security?

user3689598
  • 11
  • Can you clarify if you are going to post these credentials over a secure connection (https) or not. It is not entirely clear form your question. If you are sending it over https you are not sending it in clear text, thus contradicting the statements you make in your 2nd and 3rd paragraph. – ilikebeets Sep 02 '14 at 08:29
  • More importantly, no it will add absolutely zero extra security. Have a look at the following answer: http://security.stackexchange.com/q/66475/42743 – ilikebeets Sep 02 '14 at 08:34
  • I'm using https, but I was thinking that the password went through https in clear text. (I'm not using it yet, for the moment I'm just trying to understand) – user3689598 Sep 02 '14 at 09:23

1 Answers1

3

You are misunderstanding the purpose of TLS (https). If you have a https connection to that server that means that all traffic is encrypted during transport from the client to the server. This includes any credentials.

As for "disguising" the passwords on the client side with some rudimentary charter rotation and replacement - that would add absolutely no security to the process as is explained in detail in this post.

Community
  • 1
ilikebeets
  • 2,646
  • 15
  • 21