Does it make security sense to hash password on client end

Question

If you were to hash a user\'s password prior to sending it across the line and leaving it in plain-text in memory, would this improve the security of the application?

<

Answer 1

Yes, you should.

IEEE had a data breach in which 100K emails and passwords were exposed from a weblog.

http://ieeelog.com/

Obviously, IEEE should not have exposed their weblog! But if they had hashed the passwords at the client side, this wouldn't have been nearly as bad.

As the first answer states, you should use a nonce. If you use a long enough nonce (e.g. 128 bits), you don't really need to worry about reuse, as the server will never ask for the same nonce twice (assuming correctly seeded CRNG, etc.).