Big News: FounderDating is joining OneVest to build the largest community for entrepreneurs. Details here
Latest Notifications
You have no recent recommendations.
Name
Title
 
MiniBio
FOLLOW
Title
 Followers
FOLLOW TOPIC

Question goes here

1,300 Followers

  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur

Anyone have a sha512 JS module for passing secure hashed password instead of plain text?

Working on a verification setup and don't want to post a password unless it's been encrypted. I was wondering if any of you know of a standalone JS module for sha512 hashing. Haven't been able to find anything that works properly using Google.

29 Replies

Sean Power
1
1
Sean Power Entrepreneur • Advisor
Co-founder at Repable
This is the kind of question that's perfect for StackExchange. I doubt you'll get many answers here.
Marcus Matos
1
0
Marcus Matos Entrepreneur
Software Development & Information Technology Professional
Tyler,

Why reinvent the wheel? Can you just use https / SSL to accomplish what you are looking to do?
Tyler Balaban
0
0
Tyler Balaban Advisor
Brand Identity Developer at Openhwy
Marcus, I'll be doing that as well, but there are methods to strip SSL and the way I'm passing it, I just prefer the extra protection.
Marcus Matos
1
0
Marcus Matos Entrepreneur
Software Development & Information Technology Professional
Tyler,

I'd argue that if you don't trust SSL, then hashing won't make a difference. If you have transmit a hash for authentication purposes, you should treat that hash the same way you'd treat a sensitive password. Additionally, by hashing client side you're locking yourself in to a situation where 1.) You cannot easily change out your hashing function without both client and server updates and 2.) you'd effectively need to expose the user's salt (and you are salting each user password separately, right?)

Most issues are around a lack of knowledge of proper implementation and by trying to add another layer of complexity to your process you are more than likely actually reducing the level of protection.

Question for you: how will you prevent the plaintext password from being sent to the server if the user turns Javascript off?

Anyway, a Google search for "Javascript SHA 512" had several potential results, including http://caligatio.github.io/jsSHA/. I recommend you tread carefully.
Tyler Balaban
0
0
Tyler Balaban Advisor
Brand Identity Developer at Openhwy
There are many situations where javascript can not be switched off. You're referring to client/web side only. I'm referring this to many references but mainly server side. I trust SSL but like to prepare for everything, including ways to get around SSL such as stripping it where the average user wouldn't notice the difference. Also, I have already taken into consideration that the server would need to deal with the hash and salt it. Regardless, I'll take a look at that github, I have had some troubles implementing a few into successful modules, maybe this one will be different.
Marcus Matos
1
0
Marcus Matos Entrepreneur
Software Development & Information Technology Professional
Tyler,

If you're hashing client side, the salt is dealt with client side. I don't think you understand that when you hash client side, the transmitted hash effectively becomes the password and therefore is susceptible to the very same concerns you have about SSL being stripped away (which is really only possible with a MITM attack).

I urge you to read up on client side hashing and gain some understanding of why it's not considered a good practice and is very rarely done. Good luck!
Tyler Balaban
0
0
Tyler Balaban Advisor
Brand Identity Developer at Openhwy
"If you're hashing client side, the salt is dealt with client side." That is completely dependent on how you design it. You can hash a password and then salt it server side. But you assumed that I am hashing client side to begin with.

I agree SSL is MITM attack, but it's still a preventative measure.
Brian Ledger
2
0
Brian Ledger Advisor
Data Scientist at Coherent Path
cryptoJS is your one stop shop
Sri Ram K Vemulpali
0
0
Sri Ram K Vemulpali Entrepreneur
Member of Technical Staff at Riverbed Technology
http://en.wikipedia.org/wiki/SHA-2

It has clear pseudocode and code in C. Decode it, also, you can validate implementation your self.
Diego Basch
0
0
Diego Basch Entrepreneur
Holder of Self-Referential Title
Marcus' answer is spot on. What exactly are you trying to protect against? You don't want to reinvent the wheel when it comes to security. From the perspective of your server, the user will be sending you an array of bits. From the perspective of an attacker, that string of bits gives them access to the user account. It doesn't matter how it was created.

Furthermore, nobody uses sha256 for passwords these days. The standard for http password security right now is:
  • ssl
  • never log or store plaintext passwords
  • bcrypt/scrypt/pbkdf2 server-side, with a random salt of adequate size
  • enforce a reasonable minimum password length (e.g. at least 12 characters) and allow ANY character
  • use 2FA
If you implement something that you came up with, you're likely to do worse than with a standard solution AND spend precious engineering cycles on it.
Join FounderDating to participate in the discussion
Nothing gets posted to LinkedIn and your information will not be shared.

Just a few more details please.

DO: Start a discussion, share a resource, or ask a question related to entrepreneurship.
DON'T: Post about prohibited topics such as recruiting, cofounder wanted, check out my product
or feedback on the FD site (you can send this to us directly info@founderdating.com).
See the Community Code of Conduct for more details.

Title

Give your question or discussion topic a great title, make it catchy and succinct.

Details

Make sure what you're about to say is specific and relevant - you'll get better responses.

Topics

Tag your discussion so you get more relevant responses.

Question goes here

1,300 Followers

  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
Know someone who should answer this question? Enter their email below
Stay current and follow these discussion topics?