I have a server that is not using SSL, so I'm trying to find a way to secure the data being passed to the server. My first thought was jCryption, but it is not exactly what I need. So what I decided is that I could just pre-hash the password and send it to the server for comparison. So my question is, is there a sha1 utility that can be used for password verification purposes with PHP?
3
-
3If you hash the password and send that to the server, then I don't need to know the password any more, just the hash - which I can intercept because you're sending that in cleartext!Gareth– Gareth2012-03-08 00:22:30 +00:00Commented Mar 8, 2012 at 0:22
-
1To avoid this you should double hash, the second time using a random one time salt that you would also use server side for comparison.leebriggs– leebriggs2012-03-08 07:50:03 +00:00Commented Mar 8, 2012 at 7:50
-
good advice @leebriggs I already implemented it.nkcmr– nkcmr2012-03-08 22:02:08 +00:00Commented Mar 8, 2012 at 22:02
Add a comment
|
4 Answers
Try the Stanford Crypto library. It's pretty comprehensive but if you just need a single hashing function you can extract it from the core (it has sha1 and 256).
Comments
You shouldn't be using SHA1 to do your hashing anymore, since it's been broken for a while. Try SHA256.
2 Comments
nkcmr
Well is there a way for JavaScript to do SHA256
Morgon
Come on.. that's unacceptably lazy. google.com/search?btnG=1&pws=0&q=sha256+javascript
I think that's what you're looking for: http://phpjs.org/functions/sha1:512
Comments
There it is
async function sha256(message) {
// encode as UTF-8
const msgBuffer = new TextEncoder().encode(message);
// hash the message
const hashBuffer = await crypto.subtle.digest('SHA-1', msgBuffer);
// convert ArrayBuffer to Array
const hashArray = Array.from(new Uint8Array(hashBuffer));
// convert bytes to hex string
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
return hashHex;
}
