Sending hash password to WebAPI
Question
I have a WebAPI application which is working fine. There are no problems loging, registering etc. However, I come across something which requires some attention. When somebody is registering or logging then their passwords are sent in plain text. I know we can apply HTTPS certificate and this will be solved. However, I am more looking for a solution where I can hash password and WebAPI can automatically pick it up. I am not looking to make changes to built in WebAPI functionality to hash and store PW. This is to also make sure that when I am using FF or Chrome developer tools then nobody can read the PW from data being sent.
I am using Angular or JQuery AJAX to make calls to my WebAPI.
1 answers
solution1
0 2016-02-08 16:19:50
It is possible to encrypt the password in the frontend and send the hashed password and salt + rounds (when used) to the server.
Problem arises when the user tries to log in, you need to get the salt and roundings to the frontend, hash their password (which the typed in) send it to the server, there you do a compare like hashedPassword == hashedPassword and return true/false.
So in my opinion this is less secure than just doing all on the server side. Only benefit is, that no one can see your password in your dev-tools or in the payload.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.