How to securely register a user?
tags: learning programming
content
- use POST request for user registration, because GET might lead to the password appear in URL, and hence in server’s log
- in the POST request, password is sent in plaintext in request body (not hashed, still password, but encrypted with HTTPS)
- client side hashing provides FALSE security
- if
hash(password)is sent, then the hash has effectively become the password- hackers just need the hash to attack, they don’t even need to know the original password
- client’s computational power is limited, as compared to server. server usually run a secure (require more computational power) hashing algorithm a few times
- if
The correct approach
- Send plaintext password over HTTPS
- Server immediately hashes with bcrypt/scrypt/Argon2 + unique salt
- Store only the hash, never the plaintext