Hacker Newsnew | comments | show | ask | jobs | submit login

Can you send MD5 encrypted passwords over HTTP? Can you send passwords over websockets?



It's perfectly possible to use md5 to hash a password in Javascript before transmitting it by HTTP. There isn't a huge security benefit to doing so, however.

-----


Only doing that won't help. You might as well be transmitting the password, since someone can just copy the hash and then it would be equivalent to having the password. (Also known as a Pass the Hash attack, http://en.wikipedia.org/wiki/Pass_the_hash).

-----


Each website could have a salt. The issue is, if it's not a secure connection, it's vulnerable to hijacks.

-----


You can send a salted md5 password, which is how I implemented it years ago. The salt is supplied by the server and attached to the session.

-----


The right way to do that is Digest authentication, which is a challenge-response mechanism (so you never actually send a password or something equivalently stealable). I call it the right way mostly because it's built in to just about all servers and clients; doing it over HTTP is still not a terribly good idea.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: