[development] Re: [drupal-devel] Securing Login: MD5 password hashing using javascript

=?unknown-8bit?B?Quhy?= Kessels ber at webschuur.com
Wed Nov 9 15:23:39 UTC 2005


On Tue, Nov 08, 2005 at 12:29:56PM -0500, Pat Collins wrote:
> True, but not everybody can use ssl/tls.  What about some kind of
> authentication checking where the site would keep track of where you have
> logged in from and upon detection of a change would prompt you with a
> question that only you would know or send you an email that you would have
> to respond to before you could gain access?   
If a user is really so concerned about security, he/she should just get
SSL. Saying "if someone has no access to SSL/TLS, but still wants
security" sounds like saying "I want my house burglar-safe, but do not
want to pay for good safe locks". 

I dislike the idea of using Javascript for hashing. It smells a lot like
security through obscurity. And it brings a lot of new problems. I think
we should simply re-use the existing tools. SSL and TLS.

Ber


More information about the development mailing list