Hi,
I want to create a login page which uses MD5 to encrypt password over the
network. I can think of two approaches:
1. The password is stored un-encrypted in the database. When the user
requests the login page, a random string is generated and sent along. The
client takes the password, appends the random string to it, encrypts the
password and sends. The server has both the random string and the password.
It encrypts the password(from the database)+random_string and matches
against that sent by the client. This approach has a problem: Since the
password has to be stored in the database unencrypted, it must be sent over
the network un-encrypted once.
2. The password is encrypted: The client takes the password, encrypts and
sends. The server matches the encrypted passwords. Again, problem: The
client is a browser and the MD5 encryption is done through Java Script. The
hacker gets the encrypted password once, through network logs. He disables
Java Script (or writes a new form without Java Script) and sends the
encrypted password directly to the server.
What is the standard approach to using MD5? How do I solve the above
problems (I prefer approach 2 because it stores the password encrypted in
the database)?
Hardeep Singh
http://SeeingWithC.cjb.net
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
