PHP password hashing question

Toggle sidebar Toggle sidebar
S

Sureshot324

Diamond Member
Feb 4, 2003
3,370
0
71
I'm learning PHP and working on creating a simple username/password authentication for my page. Is it standard practice to hash the password both on the client side (before it's sent) and then hash it again (hash the hash) on the server side? The PHP tutorials I've been reading seem to only hash it server side, but I guess since PHP is a server side language it can't be used on the client side.

It seems to me it should be hashed client side so you're not sending a plain text password over the internet. To my understanding it should also be hashed on the server, since if the database was compromised, the hacker could not find what he needs to log in as you. Is this correct?
 
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
You could use https:, which would secure the password in the pipe. Pretty much any site where the password really matters does so. Banks, etc. Forums and the like usually do not, or at least they haven't in my experience. As for obscuring the password between the browser and server, the problem is that any two-way cryptographic approach requires a shared secret, or at least a shared way of deriving a secret, and if the browser knows that then so does any attacker. So the average scheme for light-security sites is probably still: user-chosen password hashed into a column in the db, password sent in plain-text from the browser, hashed and compared with the hashes in the db.
 
K

Ka0t1x

Golden Member
Jan 23, 2004
1,724
0
71
Yeaup, the basic practice is to use https when sending the password, therefore secured. But the server hashes and then compares to the database.

I prefer to use a salted hash method, whirlpool algorithm.
 
S

Sureshot324

Diamond Member
Feb 4, 2003
3,370
0
71
Markbnj said:
You could use https:, which would secure the password in the pipe. Pretty much any site where the password really matters does so. Banks, etc. Forums and the like usually do not, or at least they haven't in my experience. As for obscuring the password between the browser and server, the problem is that any two-way cryptographic approach requires a shared secret, or at least a shared way of deriving a secret, and if the browser knows that then so does any attacker. So the average scheme for light-security sites is probably still: user-chosen password hashed into a column in the db, password sent in plain-text from the browser, hashed and compared with the hashes in the db.
Click to expand...

So what do forums typically do then?
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom