Home/ Questions/Q 7818019
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T06:26:03+00:00

Hi I think I may have done this the wrong way round can anyone

  • 0

Hi I think I may have done this the wrong way round can anyone help explain how you hash/salt a password. Do you do it from the client or the webservice?

I have a datacontract which has a password datamember, in my service I do this to create a hash/salt of the password before it is saved:

  So here is the process in which I was thinking.

Rest Service has https for secure connection
User creates account (along with password)
//to stop packet sniffing when user creates account https is used during POST so no one can see the password? 
web service then creates a hash of the password to store it
//so if anyone did get access to the service/database they couldnt make much use of the data in terms of breaching accounts
Then some means to authenticate that user there after

Is this correct?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Sounds like you’re on the right track. Hashing along with the salt value should never occur on client side, as attackers will have access to that code. And https would indeed secure the connection, disallowing others from reading the data.

    During authentication you do the same thing: take the password the user entered via https, hash/salt that value, then compare the result hash with the value in the database. And of course if you ever return a Student object to the client, it should contain neither of the values.

    It may be wise not to reuse the Password property of Student since now you can’t tell whether it contains the plain password or the hashed value.

    • 0