[development] Re: [drupal-devel] Securing Login: MD5 password hashing using javascript

Khalid B kb at 2bits.com
Wed Nov 9 15:29:01 UTC 2005


Ber I agree with you that Javascript is not a solution. It gives a
false sense of security and exposes the stored md5 hash of the
password.

I also agree with you that SSL is the ultimate solution if one really
needs security.

However, I think that SSL in Drupal is an All Or None approach. Either
the entire site is SSL, or not SSL. There is no way at present where
only the login is https, and the rest is http.

If this is addressed, then the whole argument for these half baked
solutions goes away: need security? Get SSL for login. Period.


On 11/9/05, Bèr Kessels <ber at webschuur.com> wrote:
> On Tue, Nov 08, 2005 at 12:29:56PM -0500, Pat Collins wrote:
> > True, but not everybody can use ssl/tls.  What about some kind of
> > authentication checking where the site would keep track of where you have
> > logged in from and upon detection of a change would prompt you with a
> > question that only you would know or send you an email that you would have
> > to respond to before you could gain access?
> If a user is really so concerned about security, he/she should just get
> SSL. Saying "if someone has no access to SSL/TLS, but still wants
> security" sounds like saying "I want my house burglar-safe, but do not
> want to pay for good safe locks".
>
> I dislike the idea of using Javascript for hashing. It smells a lot like
> security through obscurity. And it brings a lot of new problems. I think
> we should simply re-use the existing tools. SSL and TLS.
>
> Ber
>


More information about the development mailing list