On Wed, Oct 31, 2012 at 1:03 PM, Umair Kayani <[email protected]> wrote: > What I want is to make my login password encrypted without deploying SSL > certificate (without going on to https). What I investigated so far is that > my password travels in plain text on the network which is a security risk. > But when I check my password in database it is the hash value so I want to > know at what point my password calculates its hash or verify its hash. Please > also let me know what code files are involved in all its process
That's correct, password is sent in plain text over HTTP, which is why it's recommended to use HTTPS at least for the login form. I have to say that while it's possible to make a system which will encrypt the password being sent, that means reimplementing "something like TLS", which is bound to be a poor reimplementation and is one of the most common security mistakes in general. For that reason, I'm not going to give you tips how to do it. I'm wondering what is the reason why you don't want to use HTTPS. Perhaps you don't have a free IP address? The solution is to use SNI (Server Name Indication). Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
