1

I am very new to authentication/ssl especially combined with ios. My question is, if I am sending a username and password to lets say https://server.com/login.php do I need to hash my passwords in the iOS client or can I post the text of password then hash them before they are stored in the DB?

Improve this question
1
  • 1
    Hashing doesn't help you much if your server accepts password hashes instead of the password. You prevent the password from being revealed, but the password hash can still be used to authenticate with your service. Commented Aug 13, 2012 at 20:39

2 Answers 2

Reset to default
3

Hash them beforehand for sure! Sure you're using https, but it's a best practice to never send sensitive information in plain text if you can help it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Sending an hash or the cleartext password is essentially the same issue.

If an attacker can capture data from the connection between client and server, he can later authenticates himself impersonating the client by sending either the hash or the cleartext password to the server.

The key point is to use HTTPS, wich encrypt communication between client and server, so that an attacker can not intercept the data (hash or password) the client are sending to the service.

That said, hashing the password is good practice for the client so that no one will know the real user password (even if the client stores the hash in memory for usability, you should never store cleartext passwords anywhere).

Improve this answer

4 Comments

It is not essentially the same. The hash should be combined with a nonce or salt to make it unique for that transaction. This reduces the effectiveness of replay attacks.
@Leigh but if you salt it on the device, you would have to send the salt anyway which assumingly could be intercepted as well.
@Leigh. Ok, your are right, but you can combine the clearPass with nonce too, obfuscating the password the same way you are obfuscating the hashed password. I agree hash should be used, but in order to avoid working with real passwords (and let the user be the only one who knows it). imho, of course
@mkral of course, you send the nonce, it may get intercepted, you hash the password+nonce, and send the hash back, which may also get intercepted. The thing is that the nonce is used once only. It doesn't matter if an attacker intercepts it, that hash cannot be re-used because it is a one-time deal. All they have is a hash that they have to brute force crack, so as long as you're using a strong hashing algorithm it's a non-issue.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.