[drupal-devel] Securing Login: MD5 password hashing using javascript

Adrian Rossouw adrian at bryght.com
Tue Nov 8 17:45:53 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 08 Nov 2005, at 7:29 PM, Pat Collins wrote:

>
> On Tue, 8 Nov 2005 18:14:58 +0100, =?ISO-8859-1?Q?Konstantin_K=E4fer?=
> <kkaefer at gmail.com> wrote :
>
>> Hello,
>>
>> Why should sending the password hashed increase security? Just get  
>> the
>> hashed password and provide that to the script (of course not by
>> entering it in the password field but by "faking" the HTTP POST
>> values).
>>
>> The only way to protect the password is using SSL or TLS.
>>
>
> True, but not everybody can use ssl/tls.  What about some kind of
> authentication checking where the site would keep track of where  
> you have
> logged in from and upon detection of a change would prompt you with a
> question that only you would know or send you an email that you  
> would have
> to respond to before you could gain access?
Like certain ISP's that change the ip of the user with ever request ?

'where you have logged in from' is mostly impossible to determine.

- --
Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDcORSgegMqdGlkasRAmULAKCnx9c10DpansVaIdIOZ5vu62OPUACeKInz
mvK7AEjymAqABbxGDVMMRyM=
=I4Rd
-----END PGP SIGNATURE-----



More information about the development mailing list