Proper way to send username and password from client to server

The important parts are that you transmit the form data in the POST body (that way it’s not cached anywhere, nor normally stored in any logfiles) and use HTTPS (that way, if you have a good SSL/TLS certificate, nobody can sniff out the password from observing your network traffic). If you do that, there is no big extra benefit in hashing the password, at least not during the transmission.

Why do people talk about hashing passwords, then? Because normally you don’t want to store the user’s password in plaintext form in your server-side database (otherwise the impact of a compromised server is even worse than it would be otherwise). Instead, you usually store a salted/hashed form, and then apply the same salt/hash to the password received via the form data, so that you can compare the two.

For more information on salting, see http://en.wikipedia.org/wiki/Salt_(cryptography) (and the links there).

Leave a Comment