When SSL is noty available Should I make the extra effort and encrypt passwords?

itaym02

When SSL is noty available Should I make the extra effort and encrypt on the client side (using js) the password when performing login/registration/password change?
I assume this is good to prevent wireless sniffing.

Is there a better/simpler solution?

bpat1434

Even if you encrypt/hash the password on the client-side, it can still be hacked. At that point, then they don't need to know the password, they can just use the hashed / encrypted password without your javascript.

If SSL is required, I'd suggest you actually spend the money and purchase an SSL cert. If it's not required, then I wouldn't worry too much with encrypting passwords from a form.

itaym02

There is a solution, I can implement a two-way encryption (did some research...).

Each time you surf to the login form, this request will also bring a unique key from the server (The key changes each request).
I then encrypt the password with the key and send it to the server. At that point the key is expired, so even if someone listened (say in Starbucks) he won't be able to use the encrypted password in the way you described.
But, I think it is an overkill for what I need and I will take your advice and not use any encryption what so ever.