[development] Security and Drupal

Greg Knaddison Greg at GrowingVentureSolutions.com
Sun Jan 9 17:25:36 UTC 2011

On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida <appa at perusio.net> wrote:
> 3. There's a very nice module http://drupal.org/project/safer_login
>   that sends a salted double pass MD5 hash of your password. It uses
>   a jQuery MD5 plugin. The issue is that it has problems with the
>   usual password saving mechanism in browsers, since what appears in
>   the password form field is the hash and not the password. If you
>   can live with *always* entering your password, hence not relying in
>   the convenient password remembering mechanism available in
>   browsers, this is a very cheap and easy way of securing the login
>   process.

This secures the password, but not the session. The session token is
still sent in the clear and can be sniffed and hijacked (see

The safer_login module is mostly "security theater" designed to make
people feel good but not actually increase security.

I think OpenID where users can have a provider that uses https is a
better solution if the only goal is to protect the user password but
not necessarily the session. OpenID has the benefit of reducing the
number of passwords that a user has to remember and can make it more
cost effective to do multi-factor authentication (e.g. using a SecurID


Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com
Mastering Drupal | http://www.masteringdrupal.com

More information about the development mailing list