Posted by Bruno Barros on 10/01/07 08:56

> Also, sending the password over an unencrypted link (even if the
> password itself isn't encrypted) doesn't really give you anything. If I
> want to hack into your system, all I need to do is watch the link for
> the encrypted password coming over it, and create my own form (sans
> javascript) to encrypt the password on my end and send it.

I believe that SSL is just completely silly. Take a look at numbers
(if any). Where you lose your password and your personal data is when
you get keylogged / trojaned, which means no SSL is going to secure
you. I know that from personal experience.

Why not do the following:

1. Password is sent in MD5 (password).
3. PHP checks if the password appears to be a valid md5 string
(telling it that md5 has already happened) or not. If not, it MD5s the
password, thus avoiding any bypassing.
4. PHP MD5s the MD5 along with a RANDOM salt.

When Registering:
PHP stores the MD5 Password plus the salt.

When Logging In:
PHP receives the MD5 password from the user (if js was on, else PHP
md5s on his own) and then MD5s again, applying the salt. Then it
verifies if the two hashes are exactly the same and poof ;).

Using a salt in these cases for Javascript would be useless because:
a) The user would know which salt it was, thus if he wanted to crack
the md5, he would be in the same status as if no salt was applied.
b) If it was a random salt, when logging in, Javascript wouldn't know
which salt was used before so he couldn't repeat the action ;).

[Back to original message]