I ran across a script that hashes the password before sending it to the server side.
nothing complicated:
- download the md5 javascript library, and run the password through the encryption function before submitting the form ( also, set the clear password to null)
on the server side you store the MD5 hash in your users Table.
now, someone pointed out that you could still steal the MD5 and then make your own form with a field with name=“encrypted_password” and with value="%INSERT_STOLEN_HASH%" and submit it the server.
So, i guess at that point, i didn’t see the benefit of encrypting the password on the client side. I read some stuff about “salting” the password that you store in your database, but I didn’t really understand how that stopped a hacker from using the stolen hash i just talked about.
can someone point me to the right direction?