[drupal-devel] Securing Login: MD5 password hashing using javascript

Pat Collins pat at linuxcolumbus.com
Tue Nov 8 17:29:56 UTC 2005

On Tue, 8 Nov 2005 18:14:58 +0100, =?ISO-8859-1?Q?Konstantin_K=E4fer?=
<kkaefer at gmail.com> wrote :

> Hello,
> Why should sending the password hashed increase security? Just get the
> hashed password and provide that to the script (of course not by
> entering it in the password field but by "faking" the HTTP POST
> values).
> The only way to protect the password is using SSL or TLS.

True, but not everybody can use ssl/tls.  What about some kind of
authentication checking where the site would keep track of where you have
logged in from and upon detection of a change would prompt you with a
question that only you would know or send you an email that you would have
to respond to before you could gain access?   


More information about the development mailing list