[development] Securing Login: MD5 password hashing using javascript

Chris Cook beerfan at gmail.com
Wed Nov 9 16:04:16 UTC 2005

On 11/9/05, Syscrusher <scott at 4th.com> wrote:
> I'm not meaning to take sides on the overall issue of whether the JavaScript
> authentication hash is a good idea or not -- I don't have a strong preference.
> But it is possible to implement it without exposing the MD5 of the actual
> password on the Internet.

On a somewhat related topic, I have always been hesitant about the
drupal.module feature of logging into a site using an account from
another system because it would be possible for a malicious admin to
modify drupal.module on his site to capture the password. It might be
possible to use the above method, in combination with something else,
to protect against sending a plain text password through the site
being visited. Of course I'd love to be wrong about the whole thing.

More information about the development mailing list