[development] Securing Login: MD5 password hashing using javascript

Syscrusher scott at 4th.com
Thu Nov 10 15:23:15 UTC 2005

On Thursday 10 November 2005 05:25, Bèr Kessels wrote:
> No, really, this could indeed live in a contrib! But for me it is
> senseless. Its like putting an expensive lock on your door that needs
> three keys (instead of the much quicker to use one) while all your
> windows are broken and the backdoor has no lock at all. 
> Id say that false sense of security is worse then no security, since in
> the latter case, people are a little more carefull.

So, because users are lazy (a point I freely grant) and browsers store
passwords and the initial password has to be mailed in the clear, we shouldn't
do anything to make Drupal itself less insecure?

That's like saying, "I'm not going to bother putting a lock on my door, because
somebody can break the glass in my windows and get in anyway."

> So, make this a contrib, but mark it as "might help a little, but dos
> not make your site secure".

This, I strongly support. Your point about a false sense of security is quite
valid, and we do need to make sure the docs for any contrib module clearly
inform a novice sysadmin that the module won't "solve all the world's problems."


Scott Courtney     Drupal user name: "syscrusher"   http://drupal.org/user/9184
scott at 4th dot com       Drupal projects: http://drupal.org/project/user/9184
Sandbox:  http://cvs.drupal.org/viewcvs/drupal/contributions/sandbox/syscrusher

More information about the development mailing list