0

This may be a silly question but I need to get clear that do we need to hash password in front-end before sending it to the back-end via https or is that not necessary to do so? What is the best practice for this use case? Usually, I use atob() / btob() to encrypt and sending to the backend. Thanks in advance

Argon
  • 791
  • 1
  • 9
  • 27
  • It could be considered silly that no research had been done on the topic before the question was posted. That said: HTTPS is secure. You don't need to pre-encrypt the data before sending it over a secure channel. It's much more important to make sure the password itself is not stored (i.e. use secure hashing techniques), and that you keep your server secure so that no one can grab the password in plain text from the running server process. – Peter Duniho Apr 06 '20 at 05:06
  • @PeterDuniho Thanks for the replay. There are some articles that say sha256 is also breakable so what is your suggestion. Do we need to move sha512 or something? – Argon Apr 06 '20 at 05:11
  • I'm not aware of any credible report that claims SHA256 has been broken (by "broken", I mean, and you should too mean, that someone has figured out a way to artificially create an input to the algorithm that produces the same output as some _unknown_ other input). The Treadwell Stanton DuPont claim -- the only such claim I'm even aware of -- has been thoroughly debunked. This is all information you could and should research on your own. Stack Overflow isn't a discussion group, nor a place to ask questions that Bing or Google could answer just as well. – Peter Duniho Apr 06 '20 at 05:17
  • @PeterDuniho Thank you so much. I will do the research – Argon Apr 06 '20 at 05:19

0 Answers0