[development] Securing Login: MD5 password hashing using javascript

Pat Collins pat at linuxcolumbus.com
Wed Nov 9 16:36:01 UTC 2005

On Wed, 9 Nov 2005 10:53:29 -0500, Syscrusher <scott at 4th.com> wrote :

> This nonce or one-time-pad technique is very common in authentication schemes.
> It won't stop a playback or man-in-the-middle attack, but it *does* keep the
> actual MD5 of the password from being exposed. The only cleartext sent is
> the nonce, and the only MD5 sent is one that included the nonce in its
> creation.

This doesn't even begin to address spyware/keyloggers.  The the only
solution is ssl/tls since you are still sending the data in clear text over
an unsecured network.  But even in that case a locally installed keylogger
will get your passwords no matter what.

My previous email message about keeping track of where the user is logged in
from, by IP or ISP assigned IP block, would be a much better solution if you
don't have or can't use ssl/tls.  Kind of like smtp-auth for the web.


More information about the development mailing list