[development] Re: [drupal-devel] Securing Login: MD5 password hashing using javascript

Khalid B kb at 2bits.com
Wed Nov 9 18:01:04 UTC 2005


Thanks for taking the lead in this.

Can you submit that as a patch against user module?

This way more people will test it and comment on it.

On 11/9/05, Darrel O'Pry <dopry at thing.net> wrote:
> On Wed, 2005-11-09 at 10:29 -0500, Khalid B wrote:
> > Ber I agree with you that Javascript is not a solution. It gives a
> > false sense of security and exposes the stored md5 hash of the
> > password.
> >
> > I also agree with you that SSL is the ultimate solution if one really
> > needs security.
> >
> > However, I think that SSL in Drupal is an All Or None approach. Either
> > the entire site is SSL, or not SSL. There is no way at present where
> > only the login is https, and the rest is http.
> >
> > If this is addressed, then the whole argument for these half baked
> > solutions goes away: need security? Get SSL for login. Period.
> Well here you go... its a bit of a kludge, but works.
> patched url() and l() to have an ssl flag...
> Minor touch ups to user.module.
> Sry this is against 4.6.3... I haven't started playing with the
> formsapi, or head yet...
> .darrel.

More information about the development mailing list