[drupal-devel] Securing Login: MD5 password hashing using javascript
Fabio Varesano
fabio.varesano at gmail.com
Tue Nov 8 10:15:27 UTC 2005
NOTE: This is a copy of http://drupal.org/node/36793
where you can find the patch i'm talking about
Hello everybody.
Drupal sends login password using plain text
wich makes really easy password sniffing.
(ever tried ethereal in an hub connected lan???)
It is possible to secure sending of password using md5 hashes
on the client side using javascript.
A good example and explaination of this could be found at
http://pajhome.org.uk/crypt/md5/auth.html
here some demo:
http://pajhome.org.uk/crypt/md5/chaplogin.html
The patch attached is a first attempt in changing login procedure to let
user browser do the md5 password hasing before send it.
While an attacker can still use it for logging in to the drupal site
this prevents to reuse the password on other sistems where the user
has an account.
A more advanced usage of this technique is implementing a
"challenge response" system as described in
http://pajhome.org.uk/crypt/md5/auth.html
Yahoo! Mail Italia use this.
Also Yahoo! Mail International seems use it.
This patch is only for demostration.
Fabio Varesano
More information about the development
mailing list