Support the ongoing development of Laravel.io →
Authentication Security
Last updated 2 years ago.
0
  • always use HTTPS;
  • always use the bcrypt() function to hash passwords (https://laravel.com/docs/5.2/helpers#method-bcrypt), never create your own hashing functions / algorithms;
  • host your own server or use a reliabe hoster, if people have access to your server then hashing has no use because they can access the code / encryption keys / configs, etc and have access to the database...
Last updated 8 years ago.
0

ITCan said:

  • always use HTTPS
  • always use the bcrypt() function to hash passwords (https://laravel.com/docs/5.2/helpers#method-bcrypt)
  • host your own server or use a reliabe hoster, if people have access to your server then hashing has no use because they can access the code / encryption keys / configs, etc and have access to the database...

Of course I will use HTTPS, of course I am using bcrypt() and of course I trust my hoster, but this is not the case. The problem here is sending passwords in plaintext what should be avoided.

Motivation: http://stackoverflow.com/a/21716654

0

You could use sha1 (or any other algo) in javascript for the client side. But if you are using https (and only allow https connections) I dont think you really need to stress much about it.

Check http://www.movable-type.co.uk/scripts/sha1.html

To be clear the op said its for the client side, he will rehash on the server side using bcrypt and salt.

Good read on the topic at this link as well http://security.stackexchange.com/questions/93395/how-to-do-client-side-hashing-of-password-using-bcrypt

0

Sign in to participate in this thread!

Eventy

Your banner here too?

czerwonyd czerwonyd Joined 25 Jul 2016

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.