|
|
Posted by Jerry Stuckle on 10/01/07 12:13
Bruno Barros wrote:
>> Also, sending the password over an unencrypted link (even if the
>> password itself isn't encrypted) doesn't really give you anything. If I
>> want to hack into your system, all I need to do is watch the link for
>> the encrypted password coming over it, and create my own form (sans
>> javascript) to encrypt the password on my end and send it.
>
> I believe that SSL is just completely silly. Take a look at numbers
> (if any). Where you lose your password and your personal data is when
> you get keylogged / trojaned, which means no SSL is going to secure
> you. I know that from personal experience.
>
Which is a completely different subject. SSL is not designed to cure
stupidity or carelessness.
> Why not do the following:
>
> 1. Password is sent in MD5 (password).
> 3. PHP checks if the password appears to be a valid md5 string
> (telling it that md5 has already happened) or not. If not, it MD5s the
> password, thus avoiding any bypassing.
> 4. PHP MD5s the MD5 along with a RANDOM salt.
>
> When Registering:
> PHP stores the MD5 Password plus the salt.
>
> When Logging In:
> PHP receives the MD5 password from the user (if js was on, else PHP
> md5s on his own) and then MD5s again, applying the salt. Then it
> verifies if the two hashes are exactly the same and poof ;).
>
> Using a salt in these cases for Javascript would be useless because:
> a) The user would know which salt it was, thus if he wanted to crack
> the md5, he would be in the same status as if no salt was applied.
> b) If it was a random salt, when logging in, Javascript wouldn't know
> which salt was used before so he couldn't repeat the action ;).
>
You're still sending the password in the clear, even if the password
itself is MD5 hashed. It would be very simple for anyone monitoring the
packets to get this information and duplicate it. You don't even need
the real password if you know the MD5 hash value that's being sent.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|