I'm currently storing bcrypt encrypted passwords in my database. At the moment my html forms submit a clear text password to my server, which then compares the bcrypt result (of the clear text) for a match. This is working fine, but my understanding is submitting a clear text password, regardless if over https is bad practice. I was thinking of submitting an MD5 hash client side, but I would then have nothing to compare it to on the server side, as it would not equal the bcrypt md5 hash. To increase security should I perform a client side bcrypt of the password and submit that and then just do a direct comparison on the server? I appreciate any advice, thank you.
Asked
Active
Viewed 167 times
0
'
becomes a valid pw... – dandavis Nov 12 '17 at 23:53