Should I encrypt the password in the application or on the server?

Asked

Viewed 132 times

5

I am making an application that requires registration of users and my question is whether I should make the encryption in the application and save on the server or send to password and encrypt on the server at the time of logging?

  • I think it is better in the application to create an encryption in the application then in the server to decrypt and encrypt with another encryption, MD5 I know there. Because it might be intercepted before it reaches the server

2 answers

6


All classified information should always be trafficked in an encrypted form, from where it was typed to the server. You can use the mechanisms available in the operating system and accessible by the device API.

On the server when receiving should immediately transform a hash and discard the original password.

More than just doing cryptography end-to-end, but it is a more complicated process, it creates some difficulties and only applies where it needs a lot of privacy and needs to decrease the area of attack a little more, which does not guarantee anything because the tip can be compromised in several ways.

  • thanks for the reply

2

Responding in a clear and fast way: the password must be encrypted in the application.

Why?

When the application sends the data to the server, nothing prevents this data from being read or intercepted in the middle of the path, such as an attack Man in the Middle. When this data transits through the network in Plain text anyone can read it without much difficulty.

But what if the communication is done using https?

With the use of https between services, the encryption of messages exchanged between points is guaranteed, provided that the certificates and protocols involved are up to date and operational.

Finally, the ideal would be the exchange of messages using end-to-end encryption, as well quoted @Maniero in his reply. However, due to the high cost and complexity, it becomes somewhat difficult to apply. So, for your scenario, a solution close to ideal would be: the information would start from the already encrypted app directly to your server that uses https.

  • thanks for the reply

Browser other questions tagged

You are not signed in. Login or sign up in order to post.