User account password hashing

Question

We are developing a mobile app that includes a user account system. Currently, we have a system password flow like this:

User enters password -> SHA-256 HMAC hash with key -> server -> SHA-256 hash -> database

I have 3 questions:

Is this secure enough for release?
Would it be secure to store the client-side password hash to save the login?
If #2 is a no, would it be better to encrypt the hash using AES-256 and then store it?

We're assuming the connection between the client and server is encrypted? — schroeder, Jul 10 '15 at 18:30

score 0 · Accepted Answer · answered Jul 10 '15 at 18:40

You are hashing on the client, then encrypting again on the server? If you are under SSL, sending the hash from the client isn't really any more secure than sending the password in plaintext to the server. In fact, this method just makes the hash BE the plaintext, if you can capture that you can send it over to the server just fine, without knowing the real password.

Send the password over ssl in plaintext, Salt. hash it with PBKDF2, scrypt, or bcrypt. . Many iterations. Done.

User account password hashing

1 Answers1