验证哈希密码（注册）php的长度

Question

Ok, well I seem to have hit a dilemma with my work. I have already got a working registration page on where the user can sign up and all the fields are validated prior to being submitted, this validation is done with the the exact users input and measures the length of the password, username etc.. client side.

However, before the form is finally submitted the password is hashed in my hopes to stop people sniffing out passwords. So the server receives the details and the hashed password. My problem is if the user changes the JavaScript validation to allow for a shorter password my php script will have no way of telling. I can't allow users to have passwords shorter than 8 characters long but it's almost impossible to run validation on the hashed password?

Although if the user has disables JavaScript I can validate the password as it will not of been hashed in the first place but it's if someone has altered the JavaScript to void the validation client side is where I seem to be noticing a problem. Admittedly I could use encryption and decryption but I feel there must be something I am overlooking as I always do.

I don't really see the use of my posting my code but if that needs be I will. I apologize if I'm not very clear with my explanation or if I'm missing something blatant and obvious.

Answer 1

Passwords should be hashed server-side. Otherwise, the hash can be sniffed and replayed just as easily as a plain-text password. Don't forget to uniquely salt as well.

For transport, you need HTTPS.