Toby :

Muhammad, the point everyone is trying to make is that user privacy is *not* increased. Presumably the increase in security you mean is that someone snooping the network traffic cannot see the password in clear text. However it is trivial to lookup MD5 hashes for common passwords (not to mention possible to straight up crack with a few Playstation 3’s). For the site in question the villain doesn’t even need to do a lookup or crack anything; he can just send the hash, like Chris and others noted. Anyone bright enough to snoop network traffic will know this.

_Assuming that forcing an attacker to look up a hash is sufficient deterrence is a dangerously incorrect assumption_! The proper approach is to send this information over a secure channel. A cheap SSL certificate is maybe $20/yr, and some hosts let you piggy-back on theirs for the cost of hosting. Use a server-side salt to store the hashed password so your database isn’t vulnerable if it is compromised.

Thanks for reading my article, Toby … It was just a way for increase user privacy that the user know the real string of password not be saved and the network does not carry the real password string … it was the increasable way for security solutions…

_Assuming that forcing an attacker to look up a hash is sufficient deterrence is a dangerously incorrect assumption_! The proper approach is to send this information over a secure channel. A cheap SSL certificate is maybe $20/yr, and some hosts let you piggy-back on theirs for the cost of hosting. Use a server-side salt to store the hashed password so your database isn’t vulnerable if it is compromised.

Yeah your method is right but with this method the user privacy has been increased. When you use both of theme the operation is so complicated and hackers must to pass the more operate to find the way.

When you submit a normal login form with the username of “user” and the password of “password”, these values are visible by a variety of methods, this is agreed.

When the server gets this data, assuming the password is stored as a hash in the database, it must apply the hash function, then compare the value to the database’s to look for a match.

Assuming you employ your method, then the values “user” and “5f4dcc3b5aa765d61d8327deb882cf99″ are thus exposed to interception. When the server gets this information, it checks directly against the database value without the need to hash it.

In either case, if a ‘hacker’ sends “password” and it is hashed then compared server side, or if the hacker sends “5f4dcc3b5aa765d61d8327deb882cf99″ and it is compared server side, there is no difference in the security of the code. Either way, the hacker can use their chosen method to intercept the data that is being posted in the form that the server is expecting it in. When the server EXPECTS a hash, and the hacker HAS a hash… that is no different than if the server EXPECTS plaintext and the hacker HAS plaintext.

Further, client-side hashing eliminates the possibility (at least the practical possibility) for hash salting, since your salt value would have to be within javascript code, and thus obtainable by a would-be hacker.

Again – it is always a good thing to be interested and creative when advancing data protection, but it is VITALLY important that you be prepared to abandon an idea or concept when shortcomings or loopholes are pointed out. Security is an industry with lots of chaff, and it’s all or nothing. Either it works, or it doesn’t, and I’m sorry to say, this method does not work – in that it does not achieve it’s stated purpose of increasing security.

You’re rights. I think this is the method for increasing the security of your privacy of users of web site. for example the users’s of your site have same password in another site. that the hacker can listen in and use it to another login page.

I know the hash and md5 also can be decode but the hacker must have a costing much time to decode that. This is the tip for increase hacks operation.

SSL is the securest technology but with this tip you have a simple method to increase the time and tries of hack.

But yes this is the simple way and hackers can be going on of target. Thank again for reading my article.

$_POST["password"]

Please do not suggest that anyone uses raw $_POST data when storing to a server-side database. Your suggested code also opens you up to a variety of other injection attacks, and doesn’t mention it at all.

Best of Luck.

Best of Luck.