[drupal-devel] Securing Login: MD5 password hashing using
lsmoura at gmail.com
Tue Nov 8 13:06:02 UTC 2005
way would be to use https...
But, I must aggree that it's better than nothing... But there is one
knows that the authentication is plain).
Maybe it could be introduced by a module or something that can be easily
turned on and off...
- Luis Sergio Moura
On 11/8/05, Fabio Varesano <fabio.varesano at gmail.com> wrote:
> NOTE: This is a copy of http://drupal.org/node/36793
> where you can find the patch i'm talking about
> Hello everybody.
> Drupal sends login password using plain text
> wich makes really easy password sniffing.
> (ever tried ethereal in an hub connected lan???)
> It is possible to secure sending of password using md5 hashes
> A good example and explaination of this could be found at
> here some demo:
> The patch attached is a first attempt in changing login procedure to let
> user browser do the md5 password hasing before send it.
> While an attacker can still use it for logging in to the drupal site
> this prevents to reuse the password on other sistems where the user
> has an account.
> A more advanced usage of this technique is implementing a
> "challenge response" system as described in
> Yahoo! Mail Italia use this.
> Also Yahoo! Mail International seems use it.
> This patch is only for demostration.
> Fabio Varesano
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development