问题
I am making a login system, and when logging in the password currently gets sent from JavaScript to a PHP file.
In PHP I use the following piece of code to hash.
$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
How should I hash the password in JavaScript before sending it using POST?
I obviously do not want to affect BCRYPT's security.
回答1:
What is done on the client side is not really controlled by you. What I mean is that even if you hash your password it's possible for a client to get the password before hashing/encryption.
var password = document.getElementById('login').value;
console.log(password); // It is as simple as it
//hash password...
Above a simple example to explain, the client could get the password like this, or someone else could get it using a XSS attack. You should do your best to protect your clients from XSS, but then you can't control what happens on the client side.
If what you fear is a Man In The Middle (MITM) attack, the most important thing is to use a TLS certificate with a correct algorithm (it depends on the OpenSSL version of your server).
In short, using HTTPS is what you should do to protect your clients from a MITM attack.
So according to me, it's not required to hash/encrypt the passwork before sending it.
回答2:
If you want, you can play with some bcrypt implementation client-side (search "bcrypt js", there is an example of implementation).
BUT, that means you must use the same salt value between server and client. This answer explains.
Therefore, if a client is compromised, your secret server salt value will also do.
BUT, what's your meaning ? If you think it's more secure to send and compare the hash instead of sending once plain password and hashing it server side, you're wrong. A man in the middle will stole password or hash either and will break security.
The right answer have been given in comment : You better use HTTPS for best security. At least, use digest auth if you can't use HTTPS protocol (What is digest authentication?)
回答3:
without HTTPS nevermind doing such a thing on client-side, because they will obfuscate your code see your encryption algorithm anyway.
来源:https://stackoverflow.com/questions/50578596/how-should-i-hash-passwords-before-posting-and-then-using-bcrypt