Client Side Password Hashes

I have written a number of articles with regard to how anything that you do to try to improve security between the browser and web server other than using HTTPS and a security certificate will at best have no effect and may actually make things worse with regard to security. In particular I suggested that hashing a password on the client achieves nothing since the man-in-the-middle attacker can simply use the hashed value to break into your account just as they could if you used the plain text version. I suggested that this actually lessens security since you have to allow for those without JavaScript sending the plain text version and hence have two values that will work as the password instead of one.

There has been one reply to that which mentioned something I didn't consider - that by sending a hashed version of the password whereever possible it makes it more difficult for the person who captures your hashed password to break into other accounts you may have where you have disregarded security and used the same password. Since the different sites presumably use a different "salt" value when hashing your password the hashed version that works on one site will not work on another.

Now this sounds like a good argument for using hashes but in fact it doesn't really affect my original argument much at all.

Basically there are three possible situations we need to look at with regard to the man-in-the-middle attack and what it is they are after.

Let's first look at the one where this new argument would make the biggest difference - where they are specifically targetting you and trying to break into all of your accounts where ever they may be. In this instance not hashing a password will make it easier for them if that password works for multiple sites. The thing is that it only needs one of the sites you use the password on to not hash it client side for the attacker to get a password they can try on all your other sites. So while a specific site hashing the password can provide some potential protection to other sites where their users have reused the same password it does nothing to remove the vulnerability to that site of other sites passing that password as plain text. The overhead of a huge hashing script might protect other sites but leaves your site more vulnerable than without it. Anyway someone trying to obtain all your passwords is unlikely to try to do so via a man-in-the-middle attack. They are far more likely to achieve that goal by managing to get a keylogger installed onto your computer and if they achieve that goal even HTTPS will not protect your passwords.

Another possibility is that they are targetting people trying to log in to a specific site. In that instance that you use the same password to log into other sites isn't at all relevant unless the site they are trying to break into uses HTTPS. If that is the case then they may look for other sites where the same people might have accounts and where HTTPS isn't used and then just look for passwords sent in plain text so as to try those. Your using hashing on your passwords would then protect some of your users from having their account on some other site broken into while doing nothing to protect their account on your site.

The third possibility is that the attacker isn't targetting any particular person or site in which case they will not particularly care whether a password is hashed or not as long as it works to get them into the account. If it is a plain text password that also gets them into other accounts belonging to the same person then that's a bonus.

Note that in all these situations having the password hashed does nothing to improve security on your site and in fact lowers security in that there are now two versions of each password that need to work in order to allow for those without JavaScript to hash it. The only possible protection it provides is to other sites where the user has been silly enough to use the same password and it only needs one site where they use the password to pass it in plain text for the attacker to get that password to use on the other sites anyway. This means that you hashing the passwords on your site only protects other sites if all the sites that the person has accounts with use hashing with different 'salt' values so that their hashed password on each site is different. Since most sites are likely to send passwords in plain text (since hashing lessens security on their site) you are not achieving any extra security for other sites by hashing passwords since the attacker will simply watch for passwords sent from the other sites that are not hashed.

So hashing your passwords will only protect other sites from attack, never your own site, and it will only do that if all the sites that a person uses a password with also hash it, each in different ways. The chances of your hashing passwords actually protecting some other site is therefore fairly unlikely. It certainly is not worth the overhead of a huge MD5 script and the lessening of security on your own site in the hope that it might improve security on some stranger's site.

What we get back to is that if securing passwords between the browser and server is important then you should use HTTPS in order to properly encrypt the password in a way that the man-in-the-middle attacker can't use at all. In so far as the passwords that you use to log in to sites is concerned, you should at the very least use a separate password for each of the important sites where you have accounts and where HTTPS is used. Perhaps you may share the same password between a number of less important sites (for example forums) where having your account broken into is a lot less important (they might be able to get you banned from a few forums but still don't have access to your bank account). You should never use the same passowrd for accounts that you have with differeing levels of importance as the less important site then compromises your security on the more important one.

go to top

FaceBook Follow
Twitter Follow