Are Passwords encrypted on the client side or server side?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
Fran3
New php-forum User
New php-forum User
Posts: 14
Joined: Sun Oct 08, 2017 4:01 pm

Sun Jan 07, 2018 7:30 am

Case 1: New User Registration
Case 2: Existing User Login

In either case is the User Password encrypted on the Client Side or the Server Side?

Somehow I thought it was encrypted on the client side BUT after discovering the PHP API/Functions...
- password_hash()
- password_verify()

I read this online...
"Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in.
The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password."

So, is it correct that no encryption occurs on the client side?

And that the process is. sort of like the steps below...

New User Account Creation:
1 - New User fills out registration form
2 - that data is sent un-encrypted to the server
3 - the password is then encrypted/hashed via password_hash()
4 - and then stored (encrypted) with the username in the username_password table

Existing User Login:
1 - Existing user goes to log-in page and enters username and password
2 - that data is sent un-encrypted to the server
3 - password_verify() then takes the un-encrypted password and compares it to the hashed password in the table
4 - and returns 'true' if they match
5 - and you go on from here...

Thanks for any help.

User avatar
benanamen
New php-forum User
New php-forum User
Posts: 42
Joined: Mon Oct 16, 2017 1:06 pm

Mon Jan 08, 2018 6:21 pm

There is no encryption done on either side. Passwords are hashed by password_hash. The hash is stored in the DB. On login, the user supplied password is hashed and compared to the hash in the DB with password_verify.
The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.

Fran3
New php-forum User
New php-forum User
Posts: 14
Joined: Sun Oct 08, 2017 4:01 pm

Tue Jan 09, 2018 5:15 am

Thanks for the reply.

We had already planned to use password_hash() and password_verify()

But that is done on the server side. I've come to the conclusion that the best way to protect passwords passed from the client to the server is via an SSL connection. Of course this is an expense as the site has to buy an SSL certificate.

BTW, I would think that 'hashing' is in fact a form of encryption... aka... making the original data difficult to obtain by anyone other than who it was intended for.

Thanks.

User avatar
benanamen
New php-forum User
New php-forum User
Posts: 42
Joined: Mon Oct 16, 2017 1:06 pm

Tue Jan 09, 2018 1:18 pm

BTW, I would think that 'hashing' is in fact a form of encryption
No, encryption means something can be de-crypted. Hashs are not de-crypted, the are compared. Big difference. There is no need to buy an SSL Cert. There are plenty of free ones available like https://www.sslforfree.com/
The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.

Post Reply