[drupal-devel] Securing Login: MD5 password hashing
using javascript
Adrian Rossouw
adrian at bryght.com
Tue Nov 8 17:45:53 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08 Nov 2005, at 7:29 PM, Pat Collins wrote:
>
> On Tue, 8 Nov 2005 18:14:58 +0100, =?ISO-8859-1?Q?Konstantin_K=E4fer?=
> <kkaefer at gmail.com> wrote :
>
>> Hello,
>>
>> Why should sending the password hashed increase security? Just get
>> the
>> hashed password and provide that to the script (of course not by
>> entering it in the password field but by "faking" the HTTP POST
>> values).
>>
>> The only way to protect the password is using SSL or TLS.
>>
>
> True, but not everybody can use ssl/tls. What about some kind of
> authentication checking where the site would keep track of where
> you have
> logged in from and upon detection of a change would prompt you with a
> question that only you would know or send you an email that you
> would have
> to respond to before you could gain access?
Like certain ISP's that change the ip of the user with ever request ?
'where you have logged in from' is mostly impossible to determine.
- --
Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFDcORSgegMqdGlkasRAmULAKCnx9c10DpansVaIdIOZ5vu62OPUACeKInz
mvK7AEjymAqABbxGDVMMRyM=
=I4Rd
-----END PGP SIGNATURE-----
More information about the development
mailing list