Home/ Questions/Q 8910663
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T03:44:47+00:00

I was looking at Stanford’s JavaScript crypto library and realized I could do hashing

  • 0

I was looking at Stanford’s JavaScript crypto library and realized I could do hashing on the client.

Previously, I’ve been using PHP crypt() which is concise because with one command –
crypt() I generate both a crypt type, random salt, the hash and put these three items into a string( md5, I know it’s a bit fast but OK for now, read here ).

Looks like this:

crypt() MD5 hash example:          $1$rasmusle$rISCgZzpwk3UhDidwXvin0

However if one encrypts on the client using: Stanford’s Crypto Library, and utilizing their implementation of SHA-256, one would have the added benefit of hiding the password while it is in transit to the server.

However while hiding the password, it exposes the hash in transit which is actually used to do the sql lookup.

I could hash on both ends – client and server to solve this problem. Would this be over-kill?

What is the standard, secure way to hash passwords?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Honestly? It would be best to hash your passwords on the server side. Then, make sure that your app is using HTTPS (SSL/TLS) so that attackers can’t sniff the network and retrieve plaintext passwords that are in transit. For the login page, you can force visitors to use HTTPS by using the following:

    <Location /login.php>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Location>

    Obviously, you’ll need to configure your web server for SSL before this will provide any security.

    • 0