Re: [development] Securing Login: MD5 password hashing using javascript
On Wed, 9 Nov 2005 11:40:11 -0500, Khalid B <kb@2bits.com> wrote :
This doesn't even begin to address spyware/keyloggers. The the only solution is ssl/tls since you are still sending the data in clear text over an unsecured network. But even in that case a locally installed keylogger will get your passwords no matter what.
Spyware keyloggers will still compromise passwords even if SSL is used, since they are a local thing on the PC that captures keystroke.
SSL is no solution to that.
Didn't I just say that? If not I meant too. :) So here is my vote no vote for MD5 via javascript. Pat
On 9 Nov 2005 11:49:36 -0500, Pat Collins <pat@linuxcolumbus.com> wrote:
On Wed, 9 Nov 2005 11:40:11 -0500, Khalid B <kb@2bits.com> wrote :
This doesn't even begin to address spyware/keyloggers. The the only solution is ssl/tls since you are still sending the data in clear text over an unsecured network. But even in that case a locally installed keylogger will get your passwords no matter what.
Spyware keyloggers will still compromise passwords even if SSL is used, since they are a local thing on the PC that captures keystroke.
SSL is no solution to that.
Didn't I just say that? If not I meant too. :)
So here is my vote no vote for MD5 via javascript.
Well, it sounded like you were criticizing the SSL solution vecause it does not address keyloggers. I was saying that it will not (nothing so far protects from a local infection). So we are in agreement, and I apologize.
Let me add my two cents. using JS to do a challenge based MD5 auth -- not bad. md5(challenge + md5(password)) -- no replayability, no reveal of md5 hash of password. is this necessary? do not think so, but a contrib module indeed could do this, I think. As I linked in the issue there are already ready made implementations (phplib). If it's done right and it's popular, I won't object for it to move it into core. As for blogapi logins -- of course, SSL is a better solution but the above would suffice for the many users who do not blogapi. But as it has been mentioned in the thread, the problem is that a vast majority of users are running from Windows where malware is pretty common... and you can't protect your users from them unless you do some real heavy trickery. Regards NK
participants (3)
-
Karoly Negyesi -
Khalid B -
Pat Collins