Client or Server side password hashing when a user registers (using HTTP)

Question

I have a web application that can use both HTTP and HTTPS (depending on what the user chooses). When a user registers, should their password be hashed on the client side then passed to the server or should the plain text be passed to the server and then hashed.

I believe packet sniffing tools can be used to capture the password if using HTTP, so would it be better to hash it on the client side?

Answer 1

Would it be better to hash it on the client side?

No, don't hash username/password on the client side, it doesn't make any sense.

If the web application is using HTTPS, the register request is already enctypted, which means hashing password is redundant.

If the web application is using HTTP, then everyone who is sniffing in the network can see all HTTP packets of this web app, which means:

1. All client files of this web application is public, including the hash algorithm and secret key (if any). With the hash algorithm and hashed-password, a sniffer can easily crack the original password.
2. Even if sniffer failed to get the hash algorithm, or failed to crack the original password, he/she can use the hashed-password to "login" your web application and do whatever he/she want.

In summary, once web application is using HTTP, nothing is secure.