0

I'm currently storing bcrypt encrypted passwords in my database. At the moment my html forms submit a clear text password to my server, which then compares the bcrypt result (of the clear text) for a match. This is working fine, but my understanding is submitting a clear text password, regardless if over https is bad practice. I was thinking of submitting an MD5 hash client side, but I would then have nothing to compare it to on the server side, as it would not equal the bcrypt md5 hash. To increase security should I perform a client side bcrypt of the password and submit that and then just do a direct comparison on the server? I appreciate any advice, thank you.

edencorbin
  • 383
  • 1
  • 3
  • 7
  • 2
    Also related: https://stackoverflow.com/questions/962187/plain-text-password-over-https – omijn Nov 12 '17 at 22:16
  • yes, I'm seeing that generally its not that beneficial to encrypt passwords on the client side prior to sending, and that server side encryption is generally sufficient, will look into accepting/closing this question as it is mostly duplicate. – edencorbin Nov 12 '17 at 23:17
  • 1
    you can't validate password attributes if you do that, so `'` becomes a valid pw... – dandavis Nov 12 '17 at 23:53
  • 1
    What is your source for „submitting clear text passwords over https is bad practice“? Also: No encryption is happening here. It‘s called hashing and is significantly different. If it was encryption, you would have other, more severe, problems with security than just bad sources for bad practices. – Tobi Nary Nov 13 '17 at 04:59
  • Good point on encryption, I'm hashing with bcrypt, my mistake. Honestly my source was some stack overflow answer/comment I can not find now. I'm convinced from these responses and some other searches it does not provide much value to hash the client side password. – edencorbin Nov 14 '17 at 16:02

0 Answers0