Sending passwords over the web

后端 未结 4 629
没有蜡笔的小新
没有蜡笔的小新 2021-01-03 04:02

So I\'m working on a mobile platform application that I\'d like to have users authenticate over the web. I was wondering the best way to do security. The user is sending a p

4条回答
  •  一整个雨季
    2021-01-03 04:47

    For regular non-critical system most websites send the password in plain text over the Internet during a http post request. The password is then server side encoded by SHA1/MD5 and checked against the value in the database.

    You can also use https basic authentication, this will encode the password with a simple algorithm. But although it does not send the password in plain text, the encoding is so simple that it’s very (very!) easy to crack. But by using basic authentication, you cannot use a regular login form, you will need to do with the browsers support for basic authentication (not very user friendly!).

    If you need more security most websites just install a server side SSL certificate that you buy at an ISP (for example godaddy). This will make it possible to access you’re login script over an SSL encrypted connection. This solution is considered secure (as long as the password is not easy to guess or stolen).

    An other interesting, but uncommon approach, is to do the SHA1 encoding in JavaScript before doing a (Ajax) post request to the server (JS sha-1 example). In theory, this could deliver quite reasonable security…

    And if this all is still not enough you could consider installing client certificates or a response-challenge system with a calculator or SMS.

提交回复
热议问题