Ask HN: Client-side MD5 password hashing

My take as some random guy without any particular experience in these things:<p>Client-side hashing shouldn't make much of a difference to security. Passwords are generally hashed server-side before being stored anyway, and it wouldn't prevent any sort of man-in-the-middle attacks. The only benefit I see is that anyone sniffing the data before it gets hashed server-side would only see a hash with the power of a password rather than the password itself, making it less useful to use against other sites where the user might share the password. If you really need the security, though, go HTTPS.<p>I don't see any harm other than the inconvenience of needing JavaScript. Note that there could be weird failure cases though. As an example, if I initially sign up with NoScript active and send the raw password, then later enable JavaScript on your site and send it MD5'd, I wouldn't be allowed in. So be sure that if you do this that there is no normal way to signup / login without JavaScript enabled.

I've done this in my own web application, and since the whole web application is built on Javascript anyway, it's never been a problem.<p>I also hash the password again serverside, so:<p>* Only the client knows the plaintext password<p>* The plaintext password is never transmitted over the network<p>* The hash stored on the server isn't enough to sign in to the account