How to send password securely from client side? [closed]

问题

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 2 years ago.

Improve this question

I'm trying to make my REST API more secure. For the moment I'm hashing my password in my angular app with CryptoJs.SHA256 before sending it to my C# backend. But I realize it's better to hash password on server side. So how can I send a password only readable by the server? I'm going to add SSL but I know HTTPS is also breakable. Is there an other solution?

Thanks

回答1:

As Bruce Schneier says, "Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis."

While nothing is 100% unbreakable, breaking HTTPS is significantly harder than breaking a homecooked security scheme made in JavaScript. Consider this: if you serve your super-secure JS over an untrusted (HTTP or HTTPS-with-invalid-certificate) connection, what prevents the attacker from substituting a broken version, which will bypass all the JS security? Nothing.

Modern browsers are going to great lengths to prevent HTTPS from being broken (with HSTS etc.); so it's significantly safer to rely on HTTPS (which can provide actual security when used correctly - "just ignore all those big red errors" is one simple way to break it) than on JS-over-HTTP (which only provides a feeling of security without an actual chance of being secure).

Further reading: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/

https://security.stackexchange.com/questions/3921/why-do-some-people-really-hate-security-via-client-side?rq=1

https://security.stackexchange.com/questions/8596/https-security-should-password-be-hashed-server-side-or-client-side

回答2:

There are a lot of sources out there on this topic, but few have actually analysed it. As a general rule, trust guidance from Thomas Pornin more than anybody else. I also highly recommend my own survey and recommendation on the topic.

回答3:

Not exactly a fullblown answer to your question, but i'd start by looking into using a KDF (Key Derivation Function) rather than just hashing your secrets. Some KDF libraries that you can look into are:

• PBKDF2
• bcrypt
• scrypt

https://en.wikipedia.org/wiki/Key_derivation_function

来源：https://stackoverflow.com/questions/34000297/how-to-send-password-securely-from-client-side