How and Where encryption happens in a web application?












0















In a web application, how and where password encryption happens? For example, when a user register onto a web site, whether password set by the user is transmitted as the plain text and encryption is applied on server side and persisted in the database?



On the other hand, when HTTPS is used, data will be encrypted and sent across the wire. In this scenario, do we again apply any encryption algorithms upon incoming data and then persist in the database? Also, please explain which encryption algorithms will be used when data is transmitted over HTTPS.










share|improve this question


















  • 2





    Passwords are salted and hashed, not encrypted, whether or not you're using HTTPS (you should).

    – jonrsharpe
    Nov 21 '18 at 18:37
















0















In a web application, how and where password encryption happens? For example, when a user register onto a web site, whether password set by the user is transmitted as the plain text and encryption is applied on server side and persisted in the database?



On the other hand, when HTTPS is used, data will be encrypted and sent across the wire. In this scenario, do we again apply any encryption algorithms upon incoming data and then persist in the database? Also, please explain which encryption algorithms will be used when data is transmitted over HTTPS.










share|improve this question


















  • 2





    Passwords are salted and hashed, not encrypted, whether or not you're using HTTPS (you should).

    – jonrsharpe
    Nov 21 '18 at 18:37














0












0








0








In a web application, how and where password encryption happens? For example, when a user register onto a web site, whether password set by the user is transmitted as the plain text and encryption is applied on server side and persisted in the database?



On the other hand, when HTTPS is used, data will be encrypted and sent across the wire. In this scenario, do we again apply any encryption algorithms upon incoming data and then persist in the database? Also, please explain which encryption algorithms will be used when data is transmitted over HTTPS.










share|improve this question














In a web application, how and where password encryption happens? For example, when a user register onto a web site, whether password set by the user is transmitted as the plain text and encryption is applied on server side and persisted in the database?



On the other hand, when HTTPS is used, data will be encrypted and sent across the wire. In this scenario, do we again apply any encryption algorithms upon incoming data and then persist in the database? Also, please explain which encryption algorithms will be used when data is transmitted over HTTPS.







https password-encryption websecurity






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 21 '18 at 18:32









Anoop DeshpandeAnoop Deshpande

535




535








  • 2





    Passwords are salted and hashed, not encrypted, whether or not you're using HTTPS (you should).

    – jonrsharpe
    Nov 21 '18 at 18:37














  • 2





    Passwords are salted and hashed, not encrypted, whether or not you're using HTTPS (you should).

    – jonrsharpe
    Nov 21 '18 at 18:37








2




2





Passwords are salted and hashed, not encrypted, whether or not you're using HTTPS (you should).

– jonrsharpe
Nov 21 '18 at 18:37





Passwords are salted and hashed, not encrypted, whether or not you're using HTTPS (you should).

– jonrsharpe
Nov 21 '18 at 18:37












2 Answers
2






active

oldest

votes


















1














HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password savely to the server, for you as a developer there is no work involved.



The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.






share|improve this answer































    1














    In addition of martinstoeckli answer :



    Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.



    HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.



    In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.



    So you will get the plaintext of the data after the private key did its job.



    At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.



    When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.



    if the hash is the exact same that the one in database, it means that the password entered by the user is correct.






    share|improve this answer
























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53418479%2fhow-and-where-encryption-happens-in-a-web-application%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password savely to the server, for you as a developer there is no work involved.



      The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.






      share|improve this answer




























        1














        HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password savely to the server, for you as a developer there is no work involved.



        The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.






        share|improve this answer


























          1












          1








          1







          HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password savely to the server, for you as a developer there is no work involved.



          The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.






          share|improve this answer













          HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password savely to the server, for you as a developer there is no work involved.



          The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 22 '18 at 7:55









          martinstoecklimartinstoeckli

          18k43962




          18k43962

























              1














              In addition of martinstoeckli answer :



              Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.



              HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.



              In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.



              So you will get the plaintext of the data after the private key did its job.



              At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.



              When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.



              if the hash is the exact same that the one in database, it means that the password entered by the user is correct.






              share|improve this answer




























                1














                In addition of martinstoeckli answer :



                Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.



                HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.



                In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.



                So you will get the plaintext of the data after the private key did its job.



                At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.



                When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.



                if the hash is the exact same that the one in database, it means that the password entered by the user is correct.






                share|improve this answer


























                  1












                  1








                  1







                  In addition of martinstoeckli answer :



                  Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.



                  HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.



                  In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.



                  So you will get the plaintext of the data after the private key did its job.



                  At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.



                  When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.



                  if the hash is the exact same that the one in database, it means that the password entered by the user is correct.






                  share|improve this answer













                  In addition of martinstoeckli answer :



                  Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.



                  HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.



                  In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.



                  So you will get the plaintext of the data after the private key did its job.



                  At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.



                  When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.



                  if the hash is the exact same that the one in database, it means that the password entered by the user is correct.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 26 '18 at 14:14









                  KianiiKianii

                  1358




                  1358






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53418479%2fhow-and-where-encryption-happens-in-a-web-application%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Guess what letter conforming each word

                      Port of Spain

                      Run scheduled task as local user group (not BUILTIN)