[drupal-devel] Securing Login: MD5 password hashing using javascript

Pat Collins pat at linuxcolumbus.com
Tue Nov 8 17:29:56 UTC 2005


On Tue, 8 Nov 2005 18:14:58 +0100, =?ISO-8859-1?Q?Konstantin_K=E4fer?=
<kkaefer at gmail.com> wrote :

> Hello,
> 
> Why should sending the password hashed increase security? Just get the
> hashed password and provide that to the script (of course not by
> entering it in the password field but by "faking" the HTTP POST
> values).
> 
> The only way to protect the password is using SSL or TLS.
> 

True, but not everybody can use ssl/tls.  What about some kind of
authentication checking where the site would keep track of where you have
logged in from and upon detection of a change would prompt you with a
question that only you would know or send you an email that you would have
to respond to before you could gain access?   

Pat




More information about the development mailing list