If i wanted to encrypt a password on my website before its sent to the server, would i have to encrypt the password in javascript on the frontend for it to be hidden over the interent or could it be encrypted in my flask backend code over the interent somehow. Im just a little confused on what code is actually sent to the user to run locally on their own machine. Anything to help me undertand would help a lot.
-
6Could you explain why you need encryption? If you want to prevent other people on the network from reading the password, standard “transport encryption” would be sufficient. HTTPS provides exactly such an encryption and protects all communication between browser and server except for the domain name. Certificates for HTTPS can be obtained at zero cost from Let's Encrypt.amon– amon2021-06-07 22:16:34 +00:00Commented Jun 7, 2021 at 22:16
-
2You might want to check out this question on Information Security Stack Exchange: Why is client-side hashing of a password so uncommon? tl;dr: Stop worrying and just set up HTTPS.Philipp– Philipp2021-06-08 10:05:06 +00:00Commented Jun 8, 2021 at 10:05
-
"If i wanted to encrypt a password on my website before its sent to the server" Are you sending a password from the client (not a website) to the webserver or storing a password on your webserver to pass to another server e.g., a database?JimmyJames– JimmyJames2021-06-08 16:44:45 +00:00Commented Jun 8, 2021 at 16:44
1 Answer
As user amon said in comments, HTTPS is the standard way to encrypt passwords (and everything else) in transit between the browser and the server. There's only very rarely a good reason to use anything else there.
But for passwords that's not quite enough. You should also be concerned about the security of password information stored at rest in your database.
For the standard case of a user passwords to allow logging in to a website you want hashing, not encryption. This is because there's normally no need for anyone to ever read the password out of the database - all you need to be able to do is check that the password someone types when they try to log in matches the password set for that account.
Choose a purpose made password hashing algorithm that has been widely studied and recommended by information security experts over the last few years. As of 2021, such algorithms include Argon2 and bcrypt, but not SHA or MD5. The use of password hashing algorithms should mean that even if an attacker manages to get hold of all the information your system has they shouldn't easily be able to crack many user's passwords.