Hacker News new | ask | show | jobs
by cjfont 4478 days ago
When I have a simple app send a password to the server, I like to generate a hash on the client side and then rehash again on the server for storing.

As far as APIs, the good ones will hash your secret key together along with other data unique to your HTTP request, in particular the headers and the datetime. This is a good idea because: 1. you are not sending your secret key in clear text 2. it makes it difficult for a man-in-the-middle attack because they cannot just take your hash from one of your requests since it will be invalid after received or if some time has elapsed.

For an example, see how Knox sets up requests for Amazon AWS: https://github.com/LearnBoost/knox
1 comments
viraptor 4478 days ago
> I like to generate a hash on the client side

I'm confused. What do you do with that hash then?

link
cjfont 4478 days ago
It is sent to the server, instead of the clear-text password. This isn't really necessary if you're using HTTPS, however.
link
duskwuff 4478 days ago
Sending a straight hash of the password is no more secure than sending the password in cleartext - an attacker can just replay the hash they sniffed off the network.

As skyebook said, use HTTPS. There's no excuse.

link
cjfont 4478 days ago
This practice is more to prevent the user's password from being revealed than it is to prevent others from logging in as you. In a trusted environment, you may not care that someone there has access to your account, but you don't want them to know what password you chose.

Having said that, do use HTTPS when possible, but keep in mind some corporate environments force proxies that can see your traffic anyway.

link
icambron 4478 days ago
I agree there's no excuse not to use (and force) HTTPS, but the parent did say:

> hash your secret key together along with other data unique to your HTTP request, in particular the headers and the datetime

So that isn't a straight hash and you can't just trivially replay. It does require you store the secret in the clear (or at least reversibly) on the server, but I see a lot of APIs do that...

link
skyebook 4478 days ago
For anyone reading: please just use HTTPS!
link