Is it secure to encrypt my POST variables to md5 before sending them?

Solution 1:

Using JavaScript to hash the password before sending over the wire is the very least I would expect. It would be nicer yet if you used CRAM-MD5, HTTP Digest, or SSL (experts have spend thousands of hours pouring over the security implications of these protocols).

You absolutely must use salt. If you do not the passwords are easily reversed using rainbow tables. A very simple salt that works fairly well, have the server send a random salt with the page. MD5 the password, then MD5 the first hash and the salt together. On the server side you can store the MD5 password, and run a quick MD5 on the stored hash and the salt from the page; compare and authenticate appropriately. This sort of salt is known as a nonce. You should also add a long realm salt to both the original password and the one stored on the server.

So a "good" way to go (short of SSL and the others mentioned above) is:

A = MD5 ( Password + Realm)
B = MD5 ( A + Nonce)

Send B over the wire. Keep A stored on the server. When setting A in the first place use a simple reversible encryption like ROT or XOR. Personally I would consider anything less than this irresponsible because so many users foolishly use the exact same password for darn near everything (even Jeff - site founder - has done this).

Solution 2:

No. Don't do this. Force the use of SSL in the login screen then you'll know that the username/password are encrypted when sent.

Then, when the password is received by your PHP application, it can MD5 or SHA1 hash the password and store that.

To login, hash the received password and compared with the hashed stored password. If they match you allow the user through.

By the way, to prevent a dictionary attack on your password database you will want to "salt" the password before hashing. See: http://en.wikipedia.org/wiki/Salt_(cryptography)

Solution 3:

If you use salt on your hash, the sniffer can easily visit your page and obtain your hash from your javascript. Also, md5 is not exactly secure in the sense that it's not collision proof. So don't do this, just use SSL if it's really sensitive.