PHP Secure Login - Client-side options?

Question

Ok now I am confused. I have been getting advice from SO users on libraries to use with codeigniter for authentication. I have explored dx_auth and simpleloginsecure (I think I will use the latter due to its supposed secure hashing and small footprint).

BUT, what about hashing the password on the client side? I haven't seen any mention of this in the libraries' documentation. Regardless of how secure these libraries are, doesn't there need to be some client side encryption (js) so that passwords are never posted in plain text? Or am I missing something and these libraries somehow do cover this...

Thanks

Update: a couple answers below suggest SSL. However, I was under the impression that these php (codeigniter plugin) libraries were in lieu of SSL (was I completely mistaken here)? If I am mistaken, is there a secure way of accomplishing this without SSL? (In the past I have used a javascript md5 hash function to encrypt the password before posting it...but I was hoping for something more secure).

Update 2 Okay - so it seems like the consensus is that I should be using SSL. If this is the case, then what is the point of all those fancy php authentication libraries that perform all sorts of hashing. If SSL takes care of the encryption from the client to the server, then whats the point of using these libraries (dx_auth etc.. aside from maybe adding role capabilities)? Is it simply to ensure secure storage of the data on the server/database? (I would compare the level of sensitivity of the data on the project I am working on to that of stackoverflow..no credit cards or anything overly sensitive, just username, password etc.)

Answer 1

To encrypt the client side data, you would need to ssl.

Basically ssl sends the browser the encryption key at the start of each session, which post variables, etc are then encrypted with, and decrypted again at the other end by the server.

JS encryption could actually make your system less secure, as it would expose your hashing algorithm.

UPDATE:

hashing the password doesn't protect it from being snooped between the client and the server, but rather means that if someone hacks your site, or gains access to your database in anyway, all of the passwords are not viewable in plain text. This is especially important as many people use the same password for multiple sites.

Answer 2

Without knowing a single dot about CodeIgniter, I think your options would be:

1. Have the JavaScript jump in and hash the password before it's submitted. Is this even possible?

2. Use an SSL connection.

Also, you have to consider what you're transmitting. Unless it's life threateningly sensitive information, ask yourself - does this really need to be hashed for transmission?

And finally, if someone has a keylogger or other malware on their PC, it will render your client side hashing pointless anyways.

The point of hashing sensitive information is so that if the database where that information is stored becomes compromised, then no major damage has been done - since the attacker will not have an immediately useful information.

Answer 3

Hashing just the password on the client side is pointless because all requests to your site are still vulnerable to replay attacks. An attacker able to view the traffic would see a username and hashed password in the request - which could trivially be replayed, and the attacker would assume the identity of the user who submitted the request which was sniffed.

Enabling SSL is your best option, because then submitting the values in plain text are encrypted automatically and cannot be sniffed. Also, your users can trust that the data is coming from a valid source.

There are alternatives, however. You could also use a challenge-response authentication scheme if you don't want SSL, but this has some drawbacks as well. It really depends what you are doing on the site.

Answer 4

There is no advantage to encrypting on the client side. If you aren't using SSL, then the data can be intercepted no matter what. So even if you hash the password with say md5, the md5 hash is still sent in plain text, then intercepted, and can then be posted back to the login page by the third party. Sure they may not know the raw password, but they can still gain access. If you are concerned about security, either make a self signed certificate, or pay $10 to a RapidSSL reseller for a trusted cert.

Answer 5

Let the browser and server handle all the password encryption for you. To do this, make sure that you are using a secure connection (the protocol will then be https , eg https://www.example.com . You will need to setup your server to accept secure connections - try google for some tips.