Send password with JSON in a HTTP POST

Question

Is it safe to send a password with JSON in a HTTP POST from Android app?

In database I have password hash and salt.

Maybe better solution would be that user first sends his username to server, server returns him salt, then he makes hash in app and sends password hash to server. Is that safe? Is there a better way to do it?

Answer 1

Yes, it is safe to send password in POST request as long as you are using HTTPS. The additional SSL layer will take care of security issues.

Answer 2

It's safe if the server is using HTTPS(and implemented properly). If you're sending the salt to the client it is no better than sending the plaintext password since any malicious user will also have access to the salt, and can therefore generate the password hash.

If the salt you're using is a global one, stop. Each user needs an individual salt to prevent an attacker from easily bruteforcing your passwords. With a unique salt per user, an attacker would need to bruteforce the entire password for each salt rather than bruteforcing all passwords with one salt.

You could use asymmetric encryption, where the server has its private key and the client has the server's public key, then encrypt the password with the public key and send it to the server. That should be secure in transit provided you're doing it properly. An attacker having access to the public key doesn't gain them anything in the way of seeing passwords since they can't decrypt your traffic with it.