[drupal-devel] Securing Login: MD5 password hashing using
javascript
Sergio
lsmoura at gmail.com
Tue Nov 8 13:06:02 UTC 2005
It's easy to hack even if it is encrypted with md5 with javascript. The best
way would be to use https...
But, I must aggree that it's better than nothing... But there is one
issue... If the user dont use javascript? There should be a noscript tag
that allows the user to authenticate without javascript (and let the server
knows that the authentication is plain).
Maybe it could be introduced by a module or something that can be easily
turned on and off...
- Luis Sergio Moura
On 11/8/05, Fabio Varesano <fabio.varesano at gmail.com> wrote:
>
> NOTE: This is a copy of http://drupal.org/node/36793
> where you can find the patch i'm talking about
>
> Hello everybody.
>
> Drupal sends login password using plain text
> wich makes really easy password sniffing.
> (ever tried ethereal in an hub connected lan???)
>
> It is possible to secure sending of password using md5 hashes
> on the client side using javascript.
>
> A good example and explaination of this could be found at
> http://pajhome.org.uk/crypt/md5/auth.html
> here some demo:
> http://pajhome.org.uk/crypt/md5/chaplogin.html
>
> The patch attached is a first attempt in changing login procedure to let
> user browser do the md5 password hasing before send it.
>
> While an attacker can still use it for logging in to the drupal site
> this prevents to reuse the password on other sistems where the user
> has an account.
>
> A more advanced usage of this technique is implementing a
> "challenge response" system as described in
> http://pajhome.org.uk/crypt/md5/auth.html
>
> Yahoo! Mail Italia use this.
> Also Yahoo! Mail International seems use it.
>
> This patch is only for demostration.
>
> Fabio Varesano
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://drupal3.drupal.org/pipermail/development/attachments/20051108/98ee0f94/attachment.htm
More information about the development
mailing list