Skip to content

Server side hashing

This is actually a little bit hard to get your mind behind. If you are authenticating a client on a server,

  • first off : you need to use ssl/https
  • second don't put plain text passwords in the database, but only the hash and preferably a random salt
  • third : it does not matter very much where you hash the password.

The difference will be explained here. First look at hashing at the client side.

For example purposes : A client has already registered and it's password has been hashed and put in a database, and let's say the password was "secret"

secret hash
1
{ user: "kees", password: "3091lha-08er-123j4qwjdlawsk", salt: "08972hakld" }

If you hash it at the server side an eavesdropper will see "secret" coming by. If you hash it at the server side an eavesdropper will see "3091lha-08er-123j4qwjdlawsk" coming by.

They have the same problem because the server does not do anything to hash anymore, so the hash is enough. So the hacker would use whatever he captured and that will work.

The hash is purely there for storage so that the database can't be used when compromised.

You could hash once at the client side and once at the server side, but it is more or less useless when (and you should) you use ssl.