Checking a password encrypted with bCrypt .. Do I need to send the password over the wire?

Question

I'm currently looking at using bCrypt to encrypt the passwords of the future users in my project.

It looks extremely powerful, but here's my concern --

• On the web site, create an account. The server will bCrypt your password and store its hash. test --> $2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u
• Now to check your password, you simply check the return of BCrypt.Net.BCrypt.Verify("test", "$2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u") to ensure a match.

In the case of using a client-side app to work with this webserver, and the same data, do I need to send the password over the wire to have the server match it's validity? Is it feasible to have the client request the hash, and have the server send it to the client, that way the client can do the hashing and verify it?

Answer 1

You can prevent the plaintext password from being sent over the wire by using SSL (e.g. https). The password will be plaintext but the connection will be secure, and only the server and client will be able to decode info in that connection.