I am implementing a web application posed by a Javascript front end (single page application if you prefer), and a Rails backend.

The front end app make request through API to the server, I want to know what is the best practice for sending the password on the login or the password reset.

Should I send the clear password, or should I send the hash?

I think that both of two solutions have their drawbacks:

if I hash the password with JS, the user will have the code in his browser and can understand how I secure the password.

If I keep it clear, beh, it is just clear and so it can be intercepted.

I am implementing a web application posed by a Javascript front end (single page application if you prefer), and a Rails backend.

The front end app make request through API to the server, I want to know what is the best practice for sending the password on the login or the password reset.

Should I send the clear password, or should I send the hash?

I think that both of two solutions have their drawbacks:

if I hash the password with JS, the user will have the code in his browser and can understand how I secure the password.

If I keep it clear, beh, it is just clear and so it can be intercepted.

• javascript
• ruby-on-rails
• rest
• authentication

Share Improve this question Follow asked Jun 10, 2015 at 16:25 ciaobenciaoben 3,38844 gold badges3131 silver badges4747 bronze badges 2

• 3 Use https for secure transmission :-) – Shawn Commented Jun 10, 2015 at 16:28
• 4 Just send it over HTTPS. Some would also remend using POST instead of GET because server logging is less likely to capture the password than if using GET (often times URLS are logged). – jfriend00 Commented Jun 10, 2015 at 16:39

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 4

As long as you're using HTTPS then their password cannot be intercepted. Well.... it probably won't be intercepted. But the tactics that they would have to use in order to capture that password are somewhat out of your control. The user will have to be sure that they are actually connected to your site.

I suggest reading this answer as well.

He goes over what it would take in order to intercept HTTPS munication. Your responsibility would be to make sure that your site only serves over HTTPS and that you have a pletely valid certificate.