I am working on a system (PHP based, but unimportant for this) that keeps users passwords saved on a database. However, in terms of security I need to think about how to secure the passwords and to ensure the integrity of the password transfer mechanism.
I have opted to secure the passwords in the DB that are hashed with a salt, but in terms of transferring the password from the browser to the server (will be working for non secure connections), I am not sure as to how I can check it.
So my question is, does anyone know any secure mechanisms that could allow for the client to send their password that can then be compared to the DB (hased with a salt) without the password being in plaintext anywhere except for the clients browsers memory?
The way this is done across all the industry is by sending the password in clear text over an SSL channel.
That is, you have to make sure that the login page – and all the resources it loads – are served over HTTPS. This will protect the password in transit. Once the password gets on the other side, you can hash and compare to what you have in the database.
Sending an hash or other esoteric solutions (to respect your “password in cleartext only in the browsers memory”) won’t do anything but swap a secret for another – the attack surface remains unchanged.
You can obfuscate the password on the client side and add a time based component, but since all the logic has to be on the client anyway it can be reversed, so you are just adding “obscurity” (and security through obscurity is not worth it).