hash - Are there any SHA-256 javascript implementations that are generally considered trustworthy? -


i writing login forum, , need hash password client side in javascript before sending on server. i'm having trouble figuring out sha-256 implementation can trust. expecting there kind of authoritative script used, i'm finding loads of different projects own implementations.

i realize using other people's crypto leap of faith unless you're qualified review yourself, , there no universal definition of "trustworthy", seems common , important enough there ought kind of consensus on use. naive?

edit since comes lot in comments: yes, more stringent hash again on server side. client side hashing not final result save in database. client side hashing because human client requests it. have not given specific reason why, overkill.

the stanford js crypto library contains implementation of sha-256. while crypto in js isn't well-vetted endeavor other implementation platforms, 1 @ least partially developed by, , extent sponsored by, dan boneh, well-established , trusted name in cryptography, , means project has oversight knows he's doing. project supported nsf.

it's worth pointing out, however...
... if hash password client-side before submitting it, hash password, , original password becomes irrelevant. attacker needs intercept hash in order impersonate user, , if hash stored unmodified on server, then server storing true password (the hash) in plain-text.

so security worse because decided add own improvements trusted scheme.


Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -