• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

PHP password hashing question

S

Sureshot324

Diamond Member
I'm learning PHP and working on creating a simple username/password authentication for my page. Is it standard practice to hash the password both on the client side (before it's sent) and then hash it again (hash the hash) on the server side? The PHP tutorials I've been reading seem to only hash it server side, but I guess since PHP is a server side language it can't be used on the client side.

It seems to me it should be hashed client side so you're not sending a plain text password over the internet. To my understanding it should also be hashed on the server, since if the database was compromised, the hacker could not find what he needs to log in as you. Is this correct?
 
You could use https:, which would secure the password in the pipe. Pretty much any site where the password really matters does so. Banks, etc. Forums and the like usually do not, or at least they haven't in my experience. As for obscuring the password between the browser and server, the problem is that any two-way cryptographic approach requires a shared secret, or at least a shared way of deriving a secret, and if the browser knows that then so does any attacker. So the average scheme for light-security sites is probably still: user-chosen password hashed into a column in the db, password sent in plain-text from the browser, hashed and compared with the hashes in the db.
 
Yeaup, the basic practice is to use https when sending the password, therefore secured. But the server hashes and then compares to the database.

I prefer to use a salted hash method, whirlpool algorithm.
 
Markbnj said:
You could use https:, which would secure the password in the pipe. Pretty much any site where the password really matters does so. Banks, etc. Forums and the like usually do not, or at least they haven't in my experience. As for obscuring the password between the browser and server, the problem is that any two-way cryptographic approach requires a shared secret, or at least a shared way of deriving a secret, and if the browser knows that then so does any attacker. So the average scheme for light-security sites is probably still: user-chosen password hashed into a column in the db, password sent in plain-text from the browser, hashed and compared with the hashes in the db.
Click to expand...

So what do forums typically do then?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top