I use javascript for client side hashing before the data is posted because I read somewhere that the postback or something could be hacked. I don't have the link on me but I might find it

Things may be hacked, but you are basically giving the user the key to a door.. Rather than having to work out what you are doing to a string, they know exactly what is happening.

Also, some people have javascript off, meaning that the string will not be hashed.

You can do the same thing in PHP, much more secure to do it that way as the end user should then never find out what you are doing.

http://www.google.nl/search?hl=nl&c2...G=Zoeken&meta=
This is the link that is mentioned in a thread about postback hacking. It's a dutch thread so I'll just say what's mentioned there:
"Hackers are able to intercept data you send to the server. If they get to intercept the postback (see notes) then the password is openly in front of them. How do we solve this? By hashing the password on the client."
I guess that it's a downside that the method of encryption is visible, however, all they have is the encryption method and the encrypted password. And to decrypt it, that's another something.

My intentions are not to make you feel bad about your post, I'm just explaining why I used the javascript method. According to the thread I used about login systems; which method would you use? I don't know anything about this stuff that's why I looked it up. Maybe you can elaborate on how I'm giving them a key.
And the login will just require javascript to be turned on, if not they will get a message saying it's not.

Anyway, thanks for all the replies, hope to get one soon again.

If you have information before hand, it makes tasks easier, right? If a hacker knows how you hashed a password, then it makes it easier for them to get around it. The less they know, the harder it is to hack something.

I have actually never seen anything where a hacker has intercepted a http request. Its never been a major issue and my Internet Security Officer at work would make us prevent against it, if it was a viable threat.

If you are so worried, look into secure socket layer protection (ssl). It encrypts all data between the server and the client. Never use js to hash anything. I understand why you are doing it, but if a user disables javascript, the hacker can see the plain text password anyway. Its not going to help out much.

I really don't recommend making a user have javascript enabled to login. There are actually a lot of people that disable js when they login to a website. It helps prevent hackers to run malicious scripts to steal and change your data in an account. This is known as CSRF or XSRF. It is good practice to do this.

You should turn your focus to hashing the password on the php side of things. No one can change that.

As for other security factors you should look into, you might want to use a token system and timed forms. These help with CSRF.