[drupal-devel] Securing Login: MD5 password hashing using
javascript
Konstantin Käfer
kkaefer at gmail.com
Tue Nov 8 17:14:58 UTC 2005
Hello,
Why should sending the password hashed increase security? Just get the
hashed password and provide that to the script (of course not by
entering it in the password field but by "faking" the HTTP POST
values).
The only way to protect the password is using SSL or TLS.
Regards,
Konstantin
2005/11/8, Sergio <lsmoura at gmail.com>:
> It's easy to hack even if it is encrypted with md5 with javascript. The best
> way would be to use https...
> But, I must aggree that it's better than nothing... But there is one
> issue... If the user dont use javascript? There should be a noscript tag
> that allows the user to authenticate without javascript (and let the server
> knows that the authentication is plain).
> Maybe it could be introduced by a module or something that can be easily
> turned on and off...
>
> - Luis Sergio Moura
>
>
>
> On 11/8/05, Fabio Varesano <fabio.varesano at gmail.com> wrote:
> > NOTE: This is a copy of http://drupal.org/node/36793
> > where you can find the patch i'm talking about
> >
> > Hello everybody.
> >
> > Drupal sends login password using plain text
> > wich makes really easy password sniffing.
> > (ever tried ethereal in an hub connected lan???)
> >
> > It is possible to secure sending of password using md5 hashes
> > on the client side using javascript.
> >
> > A good example and explaination of this could be found at
> > http://pajhome.org.uk/crypt/md5/auth.html
> > here some demo:
> > http://pajhome.org.uk/crypt/md5/chaplogin.html
> >
> > The patch attached is a first attempt in changing login procedure to let
> > user browser do the md5 password hasing before send it.
> >
> > While an attacker can still use it for logging in to the drupal site
> > this prevents to reuse the password on other sistems where the user
> > has an account.
> >
> > A more advanced usage of this technique is implementing a
> > "challenge response" system as described in
> > http://pajhome.org.uk/crypt/md5/auth.html
> >
> > Yahoo! Mail Italia use this.
> > Also Yahoo! Mail International seems use it.
> >
> > This patch is only for demostration.
> >
> > Fabio Varesano
> >
>
>
--
http://timcn.de
More information about the development
mailing list