问题
I've encrypted a password field in my DB by MD5, and I handle it encrypted in my back-end, but when user types their password in, it is in plain text.
Is there a safe way to pass the password from the front-end to the back-end? MD5 doesn´t have sense in this case...
NOTE: I'm using HTTPS and the POST Method.
回答1:
You can think about the following steps to protect the password:
Use HTTPS preferably with HSTS to protect the passwords during transport;
Use a password hash such as bcrypt instead of MD5 to protect the password on the server.
- HASH passwords with salt;
- use a high work factor for bcrypt.
MD5 is not the best way to hash. MD5 is not considered secure anymore.
MD5 is not encryption; don't encrypt passwords, hash them, encryption can be decrypted, hashing cannot be reversed.
回答2:
While the accepted answer correctly describes how you should STORE passwords on the server side, the question was actually on how to transmit password safely from client to server.
I just want to make clear that the salting and hashing is done at the server side. The client would just sent the clear text password over a secure connection (HTTPS) to the server.
来源:https://stackoverflow.com/questions/37701116/sending-password-safely-from-the-front-end-to-the-back-end-using-md5