{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 唯我独甜 的问题《Sending password safely from the front-end to the》','https://www.manongdao.com/q-844560.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've encrypted a password field in my DB by MD5, and I handle it encrypted in my back-end, but when user types their password in, it is in plain text.
Is there a safe way to pass the password from the front-end to the back-end? MD5 doesn´t have sense in this case...
NOTE: I'm using HTTPS and the POST Method.
While the accepted answer correctly describes how you should STORE passwords on the server side, the question was actually on how to transmit password safely from client to server.
I just want to make clear that the salting and hashing is done at the server side. The client would just sent the clear text password over a secure connection (
HTTPS) to the server.You can think about the following steps to protect the password:
Use HTTPS preferably with HSTS to protect the passwords during transport;
Use a password hash such as bcrypt instead of MD5 to protect the password on the server.
MD5 is not the best way to hash. MD5 is not considered secure anymore.
MD5 is not encryption; don't encrypt passwords, hash them, encryption can be decrypted, hashing cannot be reversed.