[development] Securing Login: MD5 password hashing using javascript

=?unknown-8bit?B?Quhy?= Kessels ber at webschuur.com
Thu Nov 10 10:25:44 UTC 2005


There are more issues with this JS md5-ing then just sniffing.

* Browsers (or even better: operating systems, like KDE) store passwords. Javascript breaks this often. Leading to
* insecure situations, because I have to write down the passwords.

* People recieve paswords by mail. They sit in the (hotmail)inbox for ever. 

* People use way to simple passwords and re-use that everywhere. 

* People are lazy and naive by nature, when it comes to security. Give
* them tough passwords, with rotation, and theyll stick post-its on
* theyr screens.

No, really, this could indeed live in a contrib! But for me it is
senseless. Its like putting an expensive lock on your door that needs
three keys (instead of the much quicker to use one) while all your
windows are broken and the backdoor has no lock at all. 
Id say that false sense of security is worse then no security, since in
the latter case, people are a little more carefull.

So, make this a contrib, but mark it as "might help a little, but dos
not make your site secure".

Ber


More information about the development mailing list