On Tue, May 19, 2009 at 9:30 AM, Magius <[email protected]> wrote:
> > If you encrypt the password at the client side, everybody can review > the javascript algorithm and break it. That is blatently wrong. If I implement RSA in Javascript, you're telling me you can break it? If you can do that, you can make millions (not only because you could monitor any bank transaction but also because you will have revolutionized the security field). > > > If you establish an HTTPS connection, then the channel is secure and > you can transfer the password in clear or with a simple > transformation. HTTPS is great for secure communication because it's a protocol that has been vetted by extremely smart people. However, you should always only ever store a hash of the password. To add to that, you can ensure even better security for your users by salting & hashing the password client side & storing that in a database - that way, at no point in time can an attacker on your system get a clients password (they'd have to attack the client directly). If this is too much work, simply hash the password as soon as you get it on the server side (although this approach also places more load on your server). > > > On May 19, 6:50 am, abhiram <[email protected]> wrote: > > Hi all, > > > > I wanted to know if there are any jars readily available for > > encryption. I need to encrypt the password and send it across to the > > server side. > > > > Thanks and Regards, > > Abhiram > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
