how to hash password on client side? how to transmit password from java device(android)?

0
votes

we have not clear text of password on our server and we want to hash what user entered on the app and then send it to server.(we send it over https)

we have md5(passwrod) without salting on server but ASAP we change it to md5(password+salt) or md5(md5(password)+salt) if it is secure! i read this question: Is it worth hashing passwords on the client side

but there was a problem. this is not secure if server send salt to app because of this article below "In a Web Application, always hash on the server" title https://crackstation.net/hashing-security.htm

so if i send md5(password+random bit) + random bit to server. server can't recognize is password true or not! because server only have hash of passwords!

2
javasecurityhashmd5

2 Answers

1
votes

MD5 is never secure for password hashing (source). Instead, I recommend using the bcrypt algorithm. It's indeed a good idea to perform the hashing operation server-side, so you should rely on security at the transport layer, e.g. use SSL rather than TCP (or HTTPS, as you are already doing).

0
votes

Generally, you store the authentication hash serverside and you match that with the hash generated clientside from the user's inputted password. Obtain the original hash from the signin form. Post some code if you need more specific assistance. Hope that helps.