When should a password be hashed?

Question

I develop a Smartphone App and have a little question:

When should I hash the user passwords, on the device or upload them in plain text and hash them on the server before stored in the database?

Answer 1

In addition to the excellent answer given by Thomas Pornin in the linked question, I would add that for security reasons in your case you probably want to do some hashing on the client side, and some hashing on the server. The reasoning goes like this:

Pros of server-side hashing:

Lets' say you only do client-side hashing, then you are taking the string that you get from the user (the hashed password) and storing that directly in the database. The next time they log in, you are directly comparing the string they send you with the one in the db, this is basically equivalent to storing the password in plaintext. If someone steals your database they won't even need a rainbow table, they can just use those hashes directly as login passwords (assuming they write a malicious client that just sends a raw string). So strong server-side hashing protects the users from database thefts.

Pros of client side-hashing

Aside from the performance boost you get from this, there's a security bonus too: the server never sees the plaintext password. Assuming that users will use the same password for many sites (which most users do), then even if your db gets stolen, users' accounts on other sites don't get compromised.

So my advice is to do both; do a small amount of hashing client-side, and then your full-blown hashing server-side.

Answer 2

I would definitely hash before the upload. If a user device is connected to a network with someone sniffing packets, a plain text password being uploaded is easily read. Not very secure.