What is the best way to hash a user's password in a client’s browser before sending it to a web server so that only the hash goes out and not the text password?
EDIT : assumes HTTP is used (not HTTPS)
Use javascript to calculate the hash. See this for an example on how to calculate SHA-1 hashes in JS.
Remember that if you depend on Javascript, your system will fail as soon as someone disables JS. You should use HTTPS if it bothers you, which has its own setbacks (for example, certificates cost money if you want browsers to accept them immediately.)
Try using the jQuery encryption plugin . Out of curiosity, what's wrong with using SSL / HTTPS and server-side encryption?
JavaScript , , .
SSL .
/: JavaScript
JavaScript-, jQuery, Eavesdroppers. MITM (Man-in-the-Middle) . SSL/TLS - , , ( IP-), , (JS, CSS, HTML,...).
? , , --, , . , --, ?
Why do we have hash passwords? So if hashes are received, they are difficult to use.
What happens in this model if the hashes in the system are displayed? An attacker simply sends them to the server and authenticates as a user.
This is why password hashing always occurs on the server, not on the client!