On 11/9/05, Syscrusher <scott@4th.com> wrote:
I'm not meaning to take sides on the overall issue of whether the JavaScript authentication hash is a good idea or not -- I don't have a strong preference. But it is possible to implement it without exposing the MD5 of the actual password on the Internet.
On a somewhat related topic, I have always been hesitant about the drupal.module feature of logging into a site using an account from another system because it would be possible for a malicious admin to modify drupal.module on his site to capture the password. It might be possible to use the above method, in combination with something else, to protect against sending a plain text password through the site being visited. Of course I'd love to be wrong about the whole thing.