[development] Securing Login: MD5 password hashing using javascript

Khalid B kb at 2bits.com
Wed Nov 9 17:04:21 UTC 2005


On 9 Nov 2005 11:49:36 -0500, Pat Collins <pat at linuxcolumbus.com> wrote:
>
> On Wed, 9 Nov 2005 11:40:11 -0500, Khalid B <kb at 2bits.com> wrote :
>
> > > This doesn't even begin to address spyware/keyloggers.  The the only
> > > solution is ssl/tls since you are still sending the data in clear text over
> > > an unsecured network.  But even in that case a locally installed keylogger
> > > will get your passwords no matter what.
> >
> > Spyware keyloggers will still compromise passwords even if SSL is
> > used, since they are a local thing on the PC that captures keystroke.
> >
> > SSL is no solution to that.
> >
>
> Didn't I just say that?  If not I meant too. :)
>
> So here is my vote no vote for MD5 via javascript.

Well, it sounded like you were criticizing the SSL solution vecause it
does not address keyloggers. I was saying that it will not (nothing so
far protects from a local infection).

So we are in agreement, and I apologize.


More information about the development mailing list