Reputation: 961
Can I convert password to md5 in javascript before sending to php page?
Can I convert a password entered into a form to md5 hash using javascript before sending it to my php validation page using javascript?
If yes, how?
Or is there an easier way to do it?
Thank you.
Upvotes: 2
Views: 3536
Answers (5)
Reputation: 173662
There are a few simple rules regarding password handling:
To safely transfer passwords from the browser to your server, use SSL! Don't settle for anything less if you're truly worried about security.
Perform password hashing on the server only. Hashing on the client side depends on JavaScript, which is not always there.
It may seem obvious, but you can only reliably hash passwords with a password hash function, such as
password_hash()(ships with PHP since 5.5) or via the password_compat library.
Upvotes: 7
Reputation: 655755
Your intention not to send any plain password is absolutely commendable. But simply hashing the password on the client side and sending the hash instead of the plain password won’t help much. Because although it’s not the plain password that is used for authentication, it’s the hash that is now used instead. So an attacker that eavesdropped the communication would simply use the hash instead of the plain password. So this won’t help much, not to mention that a client won’t have JavaScript support.
However, it’s worth mentioning that there are authentication schemes that work that way (e. g. HTTP Digest Access Authentication Scheme). But there still needs to be a secure and trusted channel where the password is initially sent to the server. So HTTPS is still a must.
Upvotes: 2
Reputation: 382881
You shouldn't do that anyway.
JavaScript can easily be disabled and you will be saving/manipulating plain password. Use PHP instead for that.
Upvotes: 1
Reputation: 11588
You need to convert the plain-text password to a md5 hash using PHP only. As Sarfraz pointed out, the user can easily disable JavaScript in their browser, rendering the md5 process useless. If they disable JS, the plain-text password might be sent to the database without encryption.
If you're concerned about data transfer security, buy a SSL certificate to ensure everything in the form is being sent over HTTPS.
Upvotes: 1
Reputation: 46060
You can but there it does not increase the security of you application.
Here is a JS implementation of the PHP md5 function http://phpjs.org/functions/md5
Upvotes: 0
Related Questions
- How to generate an MD5 password string hash in JavaScript or Node.js?
- How to use MD5 in javascript to transmit a password
- Change Password using md5 in PHP and Jquery
- How can I encrypt password to md5 in my php code
- Client side password encryption using md5.js and decryption in PHP
- How to mail a md5 password in php?
- Alternative to md5, also available in javascript
- Get the hash of the password with javascript and then send it to the server
- Can I md5(sha1(password))?
- change password form using MD5?