-1

Im doing a little research in my question but no found any concrete answer. I have a client-server architecture. Im using Bcrypt as hash function (the password its store as double hash), and HTTPS to protect the channel.

Lets suppose my client is performing login. Im using nounces for One-Time-Password login.

Should i do the Hash(password) at client side and send it to server to validate? Or just send the clean text password through the HTTPS and do at server side Hash(password) and validate it?

rew1nd
  • 124
  • 7

1 Answers1

4

You should send the plain text password (over HTTPS) and do the hashing on the server side.

If you would do the hashing before sending it to the server, the hash of the password effectively became the password, because an attacker would only need to know the hash of the password to successfully authenticate with the server.

See also: https security - should password be hashed server-side or client-side?

Jacco
  • 7,512
  • 4
  • 32
  • 53
  • 2
    why duplicating the answer instead of voting to close as duplicate ? – Tensibai Sep 27 '17 at 12:01
  • @Tensibai, because I first typed out the answer, then noticed the related link and thought it nice to add extra attention to it, so I edited the answer and included it. – Jacco Sep 27 '17 at 16:08
  • Fair enough, I had more VTC with the link at the same time personally. – Tensibai Sep 28 '17 at 07:57
  • Please don't do this. If you send the plaintext password, how is that worse than sending a hash which is 'effectively' the password?! The password IS the password! You should get the server to send a one-time nonce and/or salt to combine with the password - hash that - and send that to the server, which is only valid for that one request – Milney Mar 07 '19 at 16:28