Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What would be the point of hashing on the client? Let's say you're using md5, and you hash the password before you send it. Chances are, that un-salted hash can be easily decrypted by any number of reverse-lookup tables around online. You can't salt the hash client side, because anyone can look at your JS and find your salting tactic.

The best approach to securing information going from client to server is SSL.



It doesn't matter that they know your salting tactic, it still stops reverse-lookup tables with common passwords online.


However any salting tactic that can be pushed and used on the client side would have a tough time using a salt that is on a per-user basis. This means that if you could salt it client side, you would need to have a static salt, which is significantly less secure than a unique salt per user.


> However any salting tactic that can be pushed and used on the client side would have a tough time using a salt that is on a per-user basis.

How so? Surely the client would know their username too?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: