Quote Originally Posted by Necrotic View Post
The goal of this snippit is simply to reasonably secure passwords in the case of a data breach.

With that being said, use RSA keys to stop packet sniffers. (Unrelated to this snippit)
Implement this to the client if you see fit. Regardless, this snippit accomplishes it's specific goal.
Why use RSA at all? RSA is used when you want to get the data back in its original form.

There is absolutely no need for that here. Hash the user's password client-sided > send the hash to the server > server stores the hash and compares hashes to confirm its the correct password at login.

Once again, there is absolutely no reason the server (you) should know what the user's password is. You can hash it how you see fit, but just a md5 or sha512 is enough (as long as user's are required to make somewhat unique passwords). Benefit of a hash versus encryption is that in the case of a data breach, your user's passwords are still secure. Whereas if the hacker was able to secure your RSA private key its all over.

You can of course use RSA on top of the hashing, if you'd like.