On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida <a...@perusio.net> wrote: > 3. There's a very nice module http://drupal.org/project/safer_login > that sends a salted double pass MD5 hash of your password. It uses > a jQuery MD5 plugin. The issue is that it has problems with the > usual password saving mechanism in browsers, since what appears in > the password form field is the hash and not the password. If you > can live with *always* entering your password, hence not relying in > the convenient password remembering mechanism available in > browsers, this is a very cheap and easy way of securing the login > process.
This secures the password, but not the session. The session token is still sent in the clear and can be sniffed and hijacked (see Firesheep). The safer_login module is mostly "security theater" designed to make people feel good but not actually increase security. I think OpenID where users can have a provider that uses https is a better solution if the only goal is to protect the user password but not necessarily the session. OpenID has the benefit of reducing the number of passwords that a user has to remember and can make it more cost effective to do multi-factor authentication (e.g. using a SecurID token). Regards, Greg -- Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com Mastering Drupal | http://www.masteringdrupal.com
