[development] Securing Login: MD5 password hashing using javascript

Karoly Negyesi karoly at negyesi.net
Wed Nov 9 17:39:06 UTC 2005

Let me add my two cents.

using JS to do a challenge based MD5 auth -- not bad. md5(challenge  
+ md5(password)) -- no replayability, no reveal of md5 hash of password.

is this necessary? do not think so, but a contrib module indeed could do  
this, I think. As I linked in the issue there are already ready made  
implementations (phplib). If it's done right and it's popular, I won't  
object for it to move it into core.

As for blogapi logins -- of course, SSL is a better solution but the above  
would suffice for the many users who do not blogapi.

But as it has been mentioned in the thread, the problem is that a vast  
majority of users are running from Windows where malware is pretty  
common... and you can't protect your users from them unless you do some  
real heavy trickery.



More information about the development mailing list