I have a login form where the user types a password.
I now want to send the hashed password to the server so that it can be compared with a hashed password in the database.
I just can't find how to do this. All the examples I look at ignore this stage as if it's obvious. I'm sorry but not to me.
To encrypt the data being sent from the browser to the server you need to have a security certificate attached to the web site. That certificate encrypts all of the information the browser sends using a key that only the specific web site knows how to decrypt.
The server can then apply the hash to the password before comparing it with the stored copy.
Sending the MD5 hash of the password in plain text doesn't provide any protection as that hash effectively is the password in that instance and anyone intercepting it would be able to use it to log in just the same as if the plain text version were sent. Only the encryption provided by the security certificate provides the protection from being intercepted.
All the examples ignore the step you are talking about because it doesn't serve any purpose.
You should also know that using MD5 to hash a password is pretty much as insecure as storing the password in plain text these days.
Thank you both. I will now read up about using a safety certificate.
It is worrying to know that there are a lot of people who think that md5 is the way to go and as such steer others in that direction.
MD5 had been around for so long it's pretty much thrown at new developers, I myself stick to salt encryption which I have found to be much more unique as far as security is concerned.
As for the SSL certificate there are some rapid SSL websites out there that use well known providers to generate the certificate if you can't afford around $700-1000 per year.
Sent from my iPhone using Tapatalk
This topic is now closed. New replies are no longer allowed.