Where do I salt and hash my Passwords? At the client or at the host?

Question

I think it would be smarter to salt and hash passwords directly on the client\'s machine. The reason is, that I actually never want to get the password of the user. It is a

Answer 1

Generally, hashing is meant to obfuscate actual passwords and doesn't protect against replay attacks. You need a secure sockets layer for ensuring the channel is protected.

What hashing is good for is to protect against information leaks. For instance, say someone got hold of your users table and now they have a great deal of accounts. Since people reuse passwords, the accounts can be used to attack other sites. Hashing makes it difficult to reverse the hash into a password.

You want to hash a password at the client side only if you are going to store that password locally, such as a mobile device. Generally, you want to do the hashing at the server level.