I know this question asked so many times, but here I am again with it. I am work
ID: 659381 • Letter: I
Question
I know this question asked so many times, but here I am again with it. I am working on an application in which I need to log-in users but the question is it is not a good Idea to send user credentials in plain text, as they can be crack by any network tool (don't know how so if you can tell this too then it will be very help full). So can anyone tell me a batter idea.
I have some solution from them I am currently generating client and server key and then I concatenation client key + hash user password + server key and post to server this three things.
Same process to server and compare this 2 hash.
Is this enough?
Well I had also looked to jcryption.
Any one suggest me any good Idea?
Thanks....
Explanation / Answer
With your proposed system, anyone who intercepts the login transaction can store a copy of the password hash and use it in place of the password to impersonate the user.
If you really can't use SSL to protect communication, look into challenge-based authentication systems, where the password is never transmitted over the network, but instead proof that the password is known is transmitted, and this is done in a method that prevents replay attacks.