GraphicRiver

pre-hash

ThemeOcean
2000 posts
  • United States
  • Bought between 50 and 99 items
  • Has been a member for 3-4 years
  • Exclusive Author
ThemeOcean says

So I’m working on a project, and I’m a bit curious about something…

Would it make sense for me to use http://caligatio.github.com/jsSHA/ <- jsSHA and hash the password before it even hits the server? Obviously the site would use SSL but would pre-hashing make any sort of difference?

10 months ago via ThemeForest |
TheRedGiant
59 posts
  • Bought between 1 and 9 items
  • Has been a member for 1-2 years
  • Sold between 1 and 100 dollars
TheRedGiant says

A properly configured SSL connection is enough. And what would you encrypt on the server-side? An already encrypted hash? Because you want to keep the server-side encryption on, in case the user disables Javascript on his browser.

Then you’d end up having single (when the user browser’s JS is disabled) and double-encrypted hashes in your password database, and you’d have to either keep track of that (for later when you want to validate a log in, for example), or extend your initial password storage logic to double encrypt the password in case the user’s request comes from a JS-disabled browser.

Messy.

I think this jsSHA library would be more useful for server-side JS (i.e. a nodejs-based web framework).

10 months ago via AudioJungle |
eduvoindo
47 posts
  • Author was Featured
  • Bought between 10 and 49 items
  • Exclusive Author
  • Has been a member for 3-4 years
  • Portugal
  • Referred between 10 and 49 users
  • Sold between 10 000 and 50 000 dollars
eduvoindo says

As TheRedGiant said very well, security wise, don’t trust anything to rely on client side! That must definitely be for a server side JS!

10 months ago via CodeCanyon |
dtbaker
2333 posts
  • Grew a moustache for the Envato Movember competition
  • Community Moderator
  • Elite Author
  • Contributed a Blog Post
  • Author was Featured
  • Item was Featured
  • Won a Competition
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Has been a member for 4-5 years
+8 more
dtbaker moderator says

a sniffer could still capture the hash, and then use that hash to login to that system as that user. only benefit could be if not using SSL , couldn’t capture the raw password. you’ll also have to fall back to a non-hashed non-javascript mode for certain browsers and mobile devices.

10 months ago via CodeCanyon |
ThemeOcean
2000 posts
  • United States
  • Bought between 50 and 99 items
  • Has been a member for 3-4 years
  • Exclusive Author
ThemeOcean says
eduvoindo said
As TheRedGiant said very well, security wise, don’t trust anything to rely on client side! That must definitely be for a server side JS!

Actually the plan was to add a salt and re-hash once it was on the server, but dtbaker has a point.

10 months ago via ThemeForest |

Search forums

Active threads

Introducing Dashboard Plus 116 replies, last by purethemes 12 minutes ago
How old are you, authors? 902 replies, last by seescore 58 minutes ago
First $100 In Sales! 1 replies, last by Viral-Legacy 1 hour ago
Post an Insane Lie about the Person Above 2 - Keep it Clean! 158 replies, last by scrnjakovic 1 hour ago
Dribble invitations 8 replies, last by ViniRamadhani 2 hours ago
What is your Next Project 875 replies, last by Alexlasek 2 hours ago
Envato Support - Response Times 4 replies, last by footagecentral 2 hours ago
by
by
by
by
by