On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida <appa@perusio.net> wrote:
3. There's a very nice module http://drupal.org/project/safer_login that sends a salted double pass MD5 hash of your password. It uses a jQuery MD5 plugin. The issue is that it has problems with the usual password saving mechanism in browsers, since what appears in the password form field is the hash and not the password. If you can live with *always* entering your password, hence not relying in the convenient password remembering mechanism available in browsers, this is a very cheap and easy way of securing the login process.
This secures the password, but not the session. The session token is still sent in the clear and can be sniffed and hijacked (see Firesheep). The safer_login module is mostly "security theater" designed to make people feel good but not actually increase security. I think OpenID where users can have a provider that uses https is a better solution if the only goal is to protect the user password but not necessarily the session. OpenID has the benefit of reducing the number of passwords that a user has to remember and can make it more cost effective to do multi-factor authentication (e.g. using a SecurID token). Regards, Greg -- Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com Mastering Drupal | http://www.masteringdrupal.com