[development] Re: [drupal-devel] Securing Login: MD5 password
hashing using javascript
Khalid B
kb at 2bits.com
Wed Nov 9 18:01:04 UTC 2005
Darrel
Thanks for taking the lead in this.
Can you submit that as a patch against user module?
This way more people will test it and comment on it.
On 11/9/05, Darrel O'Pry <dopry at thing.net> wrote:
> On Wed, 2005-11-09 at 10:29 -0500, Khalid B wrote:
> > Ber I agree with you that Javascript is not a solution. It gives a
> > false sense of security and exposes the stored md5 hash of the
> > password.
> >
> > I also agree with you that SSL is the ultimate solution if one really
> > needs security.
> >
> > However, I think that SSL in Drupal is an All Or None approach. Either
> > the entire site is SSL, or not SSL. There is no way at present where
> > only the login is https, and the rest is http.
> >
> > If this is addressed, then the whole argument for these half baked
> > solutions goes away: need security? Get SSL for login. Period.
>
> Well here you go... its a bit of a kludge, but works.
> patched url() and l() to have an ssl flag...
>
> Minor touch ups to user.module.
>
> Sry this is against 4.6.3... I haven't started playing with the
> formsapi, or head yet...
>
> .darrel.
>
>
>
>
More information about the development
mailing list