1 Reply Latest reply on Nov 23, 2010 6:20 PM by drkstr_1

    Are salted hashes still necessary when using SSL?

    Miggl Level 1

      I am developing a Flex app with a Zend Framework backend using Zend_Amf, Zend_Auth, and Zend_Acl. The application will use RemoteObjects with HTTPS endpoints.

       

      Do I need to be concerned with encrypting users' passwords, or will the SSL protect all information?

       

      I haven't been able to find a secure method of transmitting passwords that isn't vulnerable at some point:

       

      1) If using salts that are stored, the salt must be hard-coded in the client (Flex) and stored somewhere on the server. Drawback: Flex apps can be reverse-engineered, and the salt can be retrieved.

      2) If using dynamic salts, they must be requested and somehow transmitted to the client. If anyone can request a salt, what is to prevent a hacker from doing the same?

      3) Using one-way encryption without a salt is just like sending the password - once the hacker guesses the encrypted password, they can authenticate as well.

       

      So then the question is, if using HTTPS, is it necessary to bother encrypting the login password at all?

       

      Thanks!

       

      ~Mike