programmerboy February 2016

Sending hash password to WebAPI

I have a WebAPI application which is working fine. There are no problems loging, registering etc. However, I come across something which requires some attention. When somebody is registering or logging then their passwords are sent in plain text. I know we can apply HTTPS certificate and this will be solved. However, I am more looking for a solution where I can hash password and WebAPI can automatically pick it up. I am not looking to make changes to built in WebAPI functionality to hash and store PW. This is to also make sure that when I am using FF or Chrome developer tools then nobody can read the PW from data being sent.

I am using Angular or JQuery AJAX to make calls to my WebAPI.

Answers


kadoga February 2016

It is possible to encrypt the password in the frontend and send the hashed password and salt + rounds (when used) to the server.

Problem arises when the user tries to log in, you need to get the salt and roundings to the frontend, hash their password (which the typed in) send it to the server, there you do a compare like hashedPassword == hashedPassword and return true/false.

So in my opinion this is less secure than just doing all on the server side. Only benefit is, that no one can see your password in your dev-tools or in the payload.

Post Status

Asked in February 2016
Viewed 2,521 times
Voted 12
Answered 1 times

Search




Leave an answer