[development] Securing Login: MD5 password hashing using
karoly at negyesi.net
Wed Nov 9 17:39:06 UTC 2005
Let me add my two cents.
using JS to do a challenge based MD5 auth -- not bad. md5(challenge
+ md5(password)) -- no replayability, no reveal of md5 hash of password.
is this necessary? do not think so, but a contrib module indeed could do
this, I think. As I linked in the issue there are already ready made
implementations (phplib). If it's done right and it's popular, I won't
object for it to move it into core.
As for blogapi logins -- of course, SSL is a better solution but the above
would suffice for the many users who do not blogapi.
But as it has been mentioned in the thread, the problem is that a vast
majority of users are running from Windows where malware is pretty
common... and you can't protect your users from them unless you do some
real heavy trickery.
More information about the development