473,574 Members | 3,086 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Proposal for Lite Encryption for Login Form without SSL

Another request for comments here.

I'd like to accomplish something like the scheme outlined at this page
here:

http://tinyurl.com/3dtcdr

In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
back to the server. This way the password is not sent to the server
in plaintext.

In the example cited above, however, the password is stored unhashed
back at the server (i.e., in the database) and it's this problem
that's been tying me in knots this evening.

The most obvious way it seems to me to cut through the knot is to
simply copy the server-side salt (sss) used to hash the pw in the
database -- the salt is constant -- within the javascript portion of
the form so that that client would:

1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. post (1) nssspw, (2) nonce, (3) username (in plaintext)

Then on the server side, php would:

1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(POST[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw

While this does not expose the plaintext password or the hashed
password in the database, it does make public the server-side salt
used to generate the hash password by pasting it in plaintext in the
javascript -- though it does not post it from the form back to the
server.

So questions:

1) Is exposing the server-side salt a terminal flaw in this plan?
This would be the equivalent to a public key in public key encryption
systems, no?

2) Does exposing the server-side salt render hashing the password in
the database moot?

3) If this is flawed, is it still better than nothing, accepting as
given that SSL has been ruled out? (The article above notes that
Yahoo uses a system like this.)

4) Any better ideas for accomplishing the concept outlined here?

Before I run this over to the cryptology newsgroup, I thought I'd give
it an airing here.

Thanks,
Tom

Oct 1 '07 #1
19 3281
klenwell wrote:
Another request for comments here.

I'd like to accomplish something like the scheme outlined at this page
here:

http://tinyurl.com/3dtcdr

In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
back to the server. This way the password is not sent to the server
in plaintext.

In the example cited above, however, the password is stored unhashed
back at the server (i.e., in the database) and it's this problem
that's been tying me in knots this evening.

The most obvious way it seems to me to cut through the knot is to
simply copy the server-side salt (sss) used to hash the pw in the
database -- the salt is constant -- within the javascript portion of
the form so that that client would:

1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. post (1) nssspw, (2) nonce, (3) username (in plaintext)

Then on the server side, php would:

1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(POST[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw

While this does not expose the plaintext password or the hashed
password in the database, it does make public the server-side salt
used to generate the hash password by pasting it in plaintext in the
javascript -- though it does not post it from the form back to the
server.

So questions:

1) Is exposing the server-side salt a terminal flaw in this plan?
This would be the equivalent to a public key in public key encryption
systems, no?

2) Does exposing the server-side salt render hashing the password in
the database moot?

3) If this is flawed, is it still better than nothing, accepting as
given that SSL has been ruled out? (The article above notes that
Yahoo uses a system like this.)

4) Any better ideas for accomplishing the concept outlined here?

Before I run this over to the cryptology newsgroup, I thought I'd give
it an airing here.

Thanks,
Tom
Why do you need to use the same salt (or even the same encryption
method) for the database?

Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Oct 1 '07 #2
On Sep 30, 9:08 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
klenwell wrote:
Another request for comments here.
I'd like to accomplish something like the scheme outlined at this page
here:
http://tinyurl.com/3dtcdr
In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
back to the server. This way the password is not sent to the server
in plaintext.
In the example cited above, however, the password is stored unhashed
back at the server (i.e., in the database) and it's this problem
that's been tying me in knots this evening.
The most obvious way it seems to me to cut through the knot is to
simply copy the server-side salt (sss) used to hash the pw in the
database -- the salt is constant -- within the javascript portion of
the form so that that client would:
1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. post (1) nssspw, (2) nonce, (3) username (in plaintext)
Then on the server side, php would:
1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(POST[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw
While this does not expose the plaintext password or the hashed
password in the database, it does make public the server-side salt
used to generate the hash password by pasting it in plaintext in the
javascript -- though it does not post it from the form back to the
server.
So questions:
1) Is exposing the server-side salt a terminal flaw in this plan?
This would be the equivalent to a public key in public key encryption
systems, no?
2) Does exposing the server-side salt render hashing the password in
the database moot?
3) If this is flawed, is it still better than nothing, accepting as
given that SSL has been ruled out? (The article above notes that
Yahoo uses a system like this.)
4) Any better ideas for accomplishing the concept outlined here?
Before I run this over to the cryptology newsgroup, I thought I'd give
it an airing here.
Thanks,
Tom

Why do you need to use the same salt (or even the same encryption
method) for the database?

Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attgl obal.net
=============== ===
Good points:
Why do you need to use the same salt (or even the same encryption
method) for the database?
It's a one-way hash, so the input strings have to match. And I don't
think that's possible without sharing the db salt with the client.
Two-way encrypt/decrypt might solve this, but I don't know offhand a
library or function that's readily available for both js and php.
Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.
Yes, true, I've misapplied this. I don't think you would even have to
hash the password. Just send those three values: (1) nssspw, (2)
nonce, (3) username and they would work every time.

Looking again at the website cited, what should happen first is:

1. Server (PHP) generates challenge value (nonce) and includes it in
form as hidden value and *saves it as a session value* so not passed
back in open via form (i.e. SESSION[nonce]).
2. User submits form with : (1) username (in plaintext) (2) password
(in plaintext) (3) nonce [this is all still private and it has not
been posted yet]
3. The server-side salt (sss) is posted in the js section of form to
hash password to match db.

Then before posting back to server, javascript kicks in client-side:

1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. POST (1) nssspw, (2) username (in plaintext)

Then on the server side, php would:

1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(SESSION[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw
4. unset SESSION[nonce]

So then, if an eavesdropper sends back (1) nssspw, (2) username,
request fails because there's no SESSION[nonce] value anymore.

Thanks for drawing attention to my error, Jerry. This still leaves
open the questions:

1) Is exposing the server-side salt a serious issue?

2) Does exposing the server-side salt render hashing the password in
the database moot?

3) Any better ideas for accomplishing the concept outlined here?

The article also makes the obvious point that javascript is not always
enabled. I figure this could be addressed by including a note that
recommends turning on javascript. I think it's fair to assume that
anyone savvy enough to turn it off can turn it on long enough to log
in. If not, info could just be submitted in plaintext (assuming the
safety of the nation is not at risk if someone does happen to be
eavesdropping.)

Tom

Oct 1 '07 #3
Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.
I believe that SSL is just completely silly. Take a look at numbers
(if any). Where you lose your password and your personal data is when
you get keylogged / trojaned, which means no SSL is going to secure
you. I know that from personal experience.

Why not do the following:

1. Password is sent in MD5 (password).
3. PHP checks if the password appears to be a valid md5 string
(telling it that md5 has already happened) or not. If not, it MD5s the
password, thus avoiding any bypassing.
4. PHP MD5s the MD5 along with a RANDOM salt.

When Registering:
PHP stores the MD5 Password plus the salt.

When Logging In:
PHP receives the MD5 password from the user (if js was on, else PHP
md5s on his own) and then MD5s again, applying the salt. Then it
verifies if the two hashes are exactly the same and poof ;).

Using a salt in these cases for Javascript would be useless because:
a) The user would know which salt it was, thus if he wanted to crack
the md5, he would be in the same status as if no salt was applied.
b) If it was a random salt, when logging in, Javascript wouldn't know
which salt was used before so he couldn't repeat the action ;).

Oct 1 '07 #4
Google for "challenged authentication" .

The idea is this:
The server asks a question that can only be answered if you know the
password.

The server could send the client an arbitrary word that the client
should hash, using the password as salt. This salted hash is then sent
to the server for verification.

Store the generated word in the session and clear it upon successful
login. This ensures you can only login once if someone monitors the
network traffic and the pre-login session. (You DO regenerate the
session upon successful login, don't you?)

Good luck,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/
Oct 1 '07 #5
The server could send the client an arbitrary word that the client
should hash, using the password as salt. This salted hash is then sent
to the server for verification.
If it's arbitrary, then odds are it will not be repeated easily.

What I mean is how does the browser know the salt he gave the user on
registration? I can register and only log the day after. The thingy
will not be in session any longer.

Oct 1 '07 #6
On 1 Oct, 06:04, klenwell <klenw...@gmail .comwrote:
On Sep 30, 9:08 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
klenwell wrote:
Another request for comments here.
I'd like to accomplish something like the scheme outlined at this page
here:
>http://tinyurl.com/3dtcdr
In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
back to the server. This way the password is not sent to the server
in plaintext.
In the example cited above, however, the password is stored unhashed
back at the server (i.e., in the database) and it's this problem
that's been tying me in knots this evening.
The most obvious way it seems to me to cut through the knot is to
simply copy the server-side salt (sss) used to hash the pw in the
database -- the salt is constant -- within the javascript portion of
the form so that that client would:
1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. post (1) nssspw, (2) nonce, (3) username (in plaintext)
Then on the server side, php would:
1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(POST[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw
While this does not expose the plaintext password or the hashed
password in the database, it does make public the server-side salt
used to generate the hash password by pasting it in plaintext in the
javascript -- though it does not post it from the form back to the
server.
So questions:
1) Is exposing the server-side salt a terminal flaw in this plan?
This would be the equivalent to a public key in public key encryption
systems, no?
2) Does exposing the server-side salt render hashing the password in
the database moot?
3) If this is flawed, is it still better than nothing, accepting as
given that SSL has been ruled out? (The article above notes that
Yahoo uses a system like this.)
4) Any better ideas for accomplishing the concept outlined here?
Before I run this over to the cryptology newsgroup, I thought I'd give
it an airing here.
Thanks,
Tom
Why do you need to use the same salt (or even the same encryption
method) for the database?
Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attgl obal.net
=============== ===

Good points:
Why do you need to use the same salt (or even the same encryption
method) for the database?

It's a one-way hash, so the input strings have to match. And I don't
think that's possible without sharing the db salt with the client.
Two-way encrypt/decrypt might solve this, but I don't know offhand a
library or function that's readily available for both js and php.
Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.

Yes, true, I've misapplied this. I don't think you would even have to
hash the password. Just send those three values: (1) nssspw, (2)
nonce, (3) username and they would work every time.

Looking again at the website cited, what should happen first is:

1. Server (PHP) generates challenge value (nonce) and includes it in
form as hidden value and *saves it as a session value* so not passed
back in open via form (i.e. SESSION[nonce]).
2. User submits form with : (1) username (in plaintext) (2) password
(in plaintext) (3) nonce [this is all still private and it has not
been posted yet]
3. The server-side salt (sss) is posted in the js section of form to
hash password to match db.

Then before posting back to server, javascript kicks in client-side:

1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. POST (1) nssspw, (2) username (in plaintext)

Then on the server side, php would:

1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(SESSION[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw
4. unset SESSION[nonce]

So then, if an eavesdropper sends back (1) nssspw, (2) username,
request fails because there's no SESSION[nonce] value anymore.

Thanks for drawing attention to my error, Jerry. This still leaves
open the questions:

1) Is exposing the server-side salt a serious issue?

2) Does exposing the server-side salt render hashing the password in
the database moot?

3) Any better ideas for accomplishing the concept outlined here?

The article also makes the obvious point that javascript is not always
enabled. I figure this could be addressed by including a note that
recommends turning on javascript. I think it's fair to assume that
anyone savvy enough to turn it off can turn it on long enough to log
in. If not, info could just be submitted in plaintext (assuming the
safety of the nation is not at risk if someone does happen to be
eavesdropping.)

Tom
Hi Tom,

I've used a similar method before and believe its valid:
1) Is exposing the server-side salt a serious issue?
It makes it possible to mount brute fore attacks on the back of being
able to sniff traffic. And if you have the same value for all users
then the attacker only needs to crack one to get them all. I use a
randomly generated value for all users, call it s_user and to a two
stage submit - first the username gets sent to fetch s_user and the
second salt (which MUST be single use and generated server-side - so
stored in the session - call it s_s for salt(session)) then at both
ends generate a comparison value:

client:
(send username u)

server:
$s_u=retrieve_s _u($_REQUEST['u']);
if (isnull($s_u)) {
$s_u = generate_random _salt();
}
$_SESSION['s_s']=generate_rando m_salt();
// send back s_u, s_s

client:
enc_pass=md5(pa ssword + s_u)
sendable_pas=md 5(enc_pass + s_s)
submit(u, sendable_pass)

server:
$s_u=retrieve_s _u($_REQUEST['u']);
$s_s=$_SESSION['s_s']
$enc_password=r etrieve_passwor d($_REQUEST['u']);
$comparison=md5 ($enc_password . $s_s);
if (comparison==$_ REQUEST['sendable_pass']) { // log em in
2) Does exposing the server-side salt render hashing the password in
the database moot?
Only if you can be 100.00000000000 ...% sure that there is no way to
access the data - which you can't.
3) Any better ideas for accomplishing the concept outlined here?
It only protects the login credentials, and as others have pointed out
it doesn't protect against attacks outside the operational domain (but
neither does SSL). You could address the former by using a javascript
implementation of an asymmetric alogirthm (I believe there's at least
one RSA implementation, adn there are raw RSA implementations in PHP,
but life's just too short to see if they work together - SSL's much
easier). Alternatively you could just keep the password client side
and use it as a key for symmetric encryption - but you need to use
seperate frames/windows to retain state client side - which is tricky.

I'd be willing to bet though that most users would have an expectation
that this is more secure than using a self-signed SSL certificate and
getting warnings about untrusted content popping up on their browser!

Jerry wrote:
Why do you need to use the same salt (or even the same encryption
method) for the database?
You need to use the same salt putting passwords into the database as
on the first iteration of the client side hash so the results are
consistent. You don't have to use the same hash for both iterations -
but why make life more complicated than it need be? Or did I miss
something?

(PS SHA1 is generally considered more secure than md5() and in PHP it
runs faster too)

HTH

C.

Oct 1 '07 #7
In the example cited above, however, the password is stored unhashed
back at the server (i.e., in the database) and it's this problem
that's been tying me in knots this evening.
Ok, I see. Hashing is not everything. If you are afraid of storing
password in plaintext you can encrypt them. How you store things in a
database has little to do with the authentication process itself.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/
Oct 1 '07 #8
klenwell wrote:
On Sep 30, 9:08 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>klenwell wrote:
>>Another request for comments here.
I'd like to accomplish something like the scheme outlined at this page
here:
http://tinyurl.com/3dtcdr
In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
back to the server. This way the password is not sent to the server
in plaintext.
In the example cited above, however, the password is stored unhashed
back at the server (i.e., in the database) and it's this problem
that's been tying me in knots this evening.
The most obvious way it seems to me to cut through the knot is to
simply copy the server-side salt (sss) used to hash the pw in the
database -- the salt is constant -- within the javascript portion of
the form so that that client would:
1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. post (1) nssspw, (2) nonce, (3) username (in plaintext)
Then on the server side, php would:
1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(POST[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw
While this does not expose the plaintext password or the hashed
password in the database, it does make public the server-side salt
used to generate the hash password by pasting it in plaintext in the
javascript -- though it does not post it from the form back to the
server.
So questions:
1) Is exposing the server-side salt a terminal flaw in this plan?
This would be the equivalent to a public key in public key encryption
systems, no?
2) Does exposing the server-side salt render hashing the password in
the database moot?
3) If this is flawed, is it still better than nothing, accepting as
given that SSL has been ruled out? (The article above notes that
Yahoo uses a system like this.)
4) Any better ideas for accomplishing the concept outlined here?
Before I run this over to the cryptology newsgroup, I thought I'd give
it an airing here.
Thanks,
Tom
Why do you need to use the same salt (or even the same encryption
method) for the database?

Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.

--
============== ====
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attg lobal.net
============== ====

Good points:
>Why do you need to use the same salt (or even the same encryption
method) for the database?

It's a one-way hash, so the input strings have to match. And I don't
think that's possible without sharing the db salt with the client.
Two-way encrypt/decrypt might solve this, but I don't know offhand a
library or function that's readily available for both js and php.
>Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.

Yes, true, I've misapplied this. I don't think you would even have to
hash the password. Just send those three values: (1) nssspw, (2)
nonce, (3) username and they would work every time.

Looking again at the website cited, what should happen first is:

1. Server (PHP) generates challenge value (nonce) and includes it in
form as hidden value and *saves it as a session value* so not passed
back in open via form (i.e. SESSION[nonce]).
2. User submits form with : (1) username (in plaintext) (2) password
(in plaintext) (3) nonce [this is all still private and it has not
been posted yet]
3. The server-side salt (sss) is posted in the js section of form to
hash password to match db.

Then before posting back to server, javascript kicks in client-side:

1. ssspw = md5(sss + pw)
2. nssspw = md5(nonce + ssspw)
3. POST (1) nssspw, (2) username (in plaintext)

Then on the server side, php would:

1. db_ssspw = fetch hashed password from db (which should == ssspw)
using username
2. db_nssspw = md5(SESSION[nonce] + db_ssspw)
3. compare POST[nssspw] and db_nssspw
4. unset SESSION[nonce]

So then, if an eavesdropper sends back (1) nssspw, (2) username,
request fails because there's no SESSION[nonce] value anymore.

Thanks for drawing attention to my error, Jerry. This still leaves
open the questions:

1) Is exposing the server-side salt a serious issue?

2) Does exposing the server-side salt render hashing the password in
the database moot?

3) Any better ideas for accomplishing the concept outlined here?

The article also makes the obvious point that javascript is not always
enabled. I figure this could be addressed by including a note that
recommends turning on javascript. I think it's fair to assume that
anyone savvy enough to turn it off can turn it on long enough to log
in. If not, info could just be submitted in plaintext (assuming the
safety of the nation is not at risk if someone does happen to be
eavesdropping.)

Tom
Tom,

Not a lot more secure. Someone needs to see the traffic going both
ways, but if they can, it's still quite easy to do.

You may think this is a minor concern - and in most non-financial
transaction instances, it is. But if someone can see the traffic going
one way, they can see it going the other.

The problem with any of these ideas is the only thing it's doing is
giving you a false sense of security. You're sending data across an
unencrypted link, which means the information can be received, decoded
and duplicated.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Oct 1 '07 #9
Bruno Barros wrote:
>Also, sending the password over an unencrypted link (even if the
password itself isn't encrypted) doesn't really give you anything. If I
want to hack into your system, all I need to do is watch the link for
the encrypted password coming over it, and create my own form (sans
javascript) to encrypt the password on my end and send it.

I believe that SSL is just completely silly. Take a look at numbers
(if any). Where you lose your password and your personal data is when
you get keylogged / trojaned, which means no SSL is going to secure
you. I know that from personal experience.
Which is a completely different subject. SSL is not designed to cure
stupidity or carelessness.
Why not do the following:

1. Password is sent in MD5 (password).
3. PHP checks if the password appears to be a valid md5 string
(telling it that md5 has already happened) or not. If not, it MD5s the
password, thus avoiding any bypassing.
4. PHP MD5s the MD5 along with a RANDOM salt.

When Registering:
PHP stores the MD5 Password plus the salt.

When Logging In:
PHP receives the MD5 password from the user (if js was on, else PHP
md5s on his own) and then MD5s again, applying the salt. Then it
verifies if the two hashes are exactly the same and poof ;).

Using a salt in these cases for Javascript would be useless because:
a) The user would know which salt it was, thus if he wanted to crack
the md5, he would be in the same status as if no salt was applied.
b) If it was a random salt, when logging in, Javascript wouldn't know
which salt was used before so he couldn't repeat the action ;).
You're still sending the password in the clear, even if the password
itself is MD5 hashed. It would be very simple for anyone monitoring the
packets to get this information and duplicate it. You don't even need
the real password if you know the MD5 hash value that's being sent.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Oct 1 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
9745
by: Chris | last post by:
Hello all. I'm currently working on a new site that encompasses the registration of members. The registration is taking place through PHP interaction with MySQL. The site is just going to be for my friends and I, but I have run into an issue that I have often wondered about before. Any insight would be appreciated. The database...
13
2045
by: Ian Hickson | last post by:
A group of us have been unofficially working on a proposal of extensions to HTML4's Forms chapter, and would like to get input from a wider range of people now that we think our draft proposal is reaching a stable stage: http://www.whatwg.org/specs/web-forms/2004-06-27-call-for-comments/ Some of the features we are proposing include new...
3
1826
by: Harry Simpson | last post by:
Is there a way in .Net to encrypt a user id and password that comes as an HTML request from a login page without having to use a third party solution? In other words, when the user enters the user id and password and submits to get authenticated I want the id and password to be transferred encrypted to the server. Harry
5
1385
by: Leon | last post by:
How can I encrypted data sent across my website from web forms without using SSL? Such as on Login the user enter "EmailAddress" & "Password" and Simply Registration Form in which the user creates a Password, FirstName, LastName, etc. I see site like Careerbuilder and Monster allow user to register, login, and retrieve a lost password...
0
3329
by: fiona | last post by:
Innovasys Ltd., a leader in help authoring and documentation tools, today announced the inclusion of a tailored version of the Innovasys HelpStudio help authoring product, HelpStudio Lite, in the Microsoft Visual Studio 2005 Software Development Kit. By providing a full help authoring environment within the Visual Studio 2005 SDK, Innovasys...
7
6136
by: Steven Cliff | last post by:
I have started to use the new Enterprise Library (Jan 06) and have set up a skeleton project using the DAAB. This all seems to work fine apart from when I come to secure the app.config file via encryption. I have encrypted the connectionsettings block in the config file but obviously when I come to deploy the solution to other PC's, it...
6
3338
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in the past in other places, and while the help was much appreciated, it seemed everyone just wanted to 'theoretically' explain how to do it, but when I...
25
2379
by: eggie5 | last post by:
I have a form where a user can change his password, but I'm confused on how to prevent this from being transmitted in plain text. Well, I know how not to transmit it in plain text - use any type of encryption, but then the problem is, how do I decrypt it on the server to store it? If I use some type of key based encryption, the how do I...
0
3293
by: cbeels | last post by:
The client code is #install SOAP-Lite and MIME-tools packages use SOAP::Lite 'trace', 'debug'; #override version SOAP::Lite->soapversion('1.2'); #override credentials sub SOAP::Transport::HTTP::Client::get_basic_credentials {
0
7837
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7755
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
6504
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
0
5333
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3770
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3791
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2268
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1366
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1097
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.