[development] Security and Drupal
Greg Knaddison
Greg at GrowingVentureSolutions.com
Sun Jan 9 17:25:36 UTC 2011
On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida <appa at perusio.net> wrote:
> 3. There's a very nice module http://drupal.org/project/safer_login
> that sends a salted double pass MD5 hash of your password. It uses
> a jQuery MD5 plugin. The issue is that it has problems with the
> usual password saving mechanism in browsers, since what appears in
> the password form field is the hash and not the password. If you
> can live with *always* entering your password, hence not relying in
> the convenient password remembering mechanism available in
> browsers, this is a very cheap and easy way of securing the login
> process.
This secures the password, but not the session. The session token is
still sent in the clear and can be sniffed and hijacked (see
Firesheep).
The safer_login module is mostly "security theater" designed to make
people feel good but not actually increase security.
I think OpenID where users can have a provider that uses https is a
better solution if the only goal is to protect the user password but
not necessarily the session. OpenID has the benefit of reducing the
number of passwords that a user has to remember and can make it more
cost effective to do multi-factor authentication (e.g. using a SecurID
token).
Regards,
Greg
--
Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com
Mastering Drupal | http://www.masteringdrupal.com
More information about the development
mailing list