I’m building a game for which the players can create accounts, you know, the standard scheme. But, I’d like to depend solely on Javascript, both on the server side (Node.js) and on the client side.
My primary means of communication with the server is usually Socket.io, and I guess that sending the passwords in plaintext isn’t a good idea – but I don’t know why! I mean, can someone sniff the traffic or something? How does that happen exactly? And most importantly, what’s the solution to this problem?
I know that I need to save passwords as hashes on the server-side.
Short answer is use HTTPS by creating your own SSL certificate.
Even GMail did not have an option to use HTTPS all the time until 2008. I’m constantly amazed how much we still don’t care about security.
Speaking of which, do salt your hashed passwords. Salting is easy… pick a word, any word. Append it to the password and hash that. (i.e. SHA1(password . mysalt)) A few people have had some trouble with that recently. Adding a bit ‘o salt will at least prevent an easy rainbow attack.