Try this. Store the passwords as MD5 hashes. Send a random string to the
user for the login page. The user enters the password. This is MD5 encoded.
Then append the random string and MD5 encode that. On the server side you
can append the random string to the MD5 password you have, md5 them and
compare the result. I'm not a cryptographer and doing something like this
probably has all kinds of tiny problems but I guess if you're really
concerned you'd just use SSL for the login.
Clayton
----- Original Message -----
From: "Hardeep Singh" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 10, 2001 7:49 AM
Subject: Offtopic: MD5 based login
> Hi,
>
> I want to create a login page which uses MD5 to encrypt password over the
> network. I can think of two approaches:
>
> 1. The password is stored un-encrypted in the database. When the user
> requests the login page, a random string is generated and sent along. The
> client takes the password, appends the random string to it, encrypts the
> password and sends. The server has both the random string and the
password.
> It encrypts the password(from the database)+random_string and matches
> against that sent by the client. This approach has a problem: Since the
> password has to be stored in the database unencrypted, it must be sent
over
> the network un-encrypted once.
>
> 2. The password is encrypted: The client takes the password, encrypts and
> sends. The server matches the encrypted passwords. Again, problem: The
> client is a browser and the MD5 encryption is done through Java Script.
The
> hacker gets the encrypted password once, through network logs. He disables
> Java Script (or writes a new form without Java Script) and sends the
> encrypted password directly to the server.
>
> What is the standard approach to using MD5? How do I solve the above
> problems (I prefer approach 2 because it stores the password encrypted in
> the database)?
>
> Hardeep Singh
> http://SeeingWithC.cjb.net
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
