Password hashing (non-SSL)

前端 未结 6 2541
迷失自我
迷失自我 2021-02-20 13:18

How is the password sent from browser to server in case of non-ssl transfer?

I want to use bcrypt to hash password+salt before sending.... but it seems there is no javas

6条回答
  •  既然无缘
    2021-02-20 13:37

    Your method seems very insecure. But to approach your questions...

    1. The same way it would be sent over SSL, just unencrypted.
    2. No, MD5 is not good enough, even over SSL. If you are truly worried about security, then why would you choose a cracked algorithm that can be deciphered using a multitude of web services online (this has been the focus of a few sprited debates here on SO).
    3. Even if you hash the passwords before sending them, you are doing this CLIENT SIDE. This means that your hash and your algorithm are exposed and shown to every end user. As a result, a well to do hacker now knows exactly how you are sending the passwords.

    In closing, just get at least a $20 SSL cert from GoDaddy if you want to secure your site/text during transfer from client to server. Encrypt your passwords on the server side before storing to your DB.

提交回复
热议问题