On Thu, Nov 18, 2010 at 11:53 AM, Hiram Clawson <[email protected]> wrote:
> Good Morning MediaWiki Fans: > > Are there any options to turn on encryption of the password > from the login page ? Is the login information sent in > clear text ? > The only way to send passwords and session cookies securely is to run the site over HTTPS; see your web server's documentation or your provider's support pages on how to use HTTPS. We experimented briefly in '05 with JavaScript stuff to send salted MD5 hashes instead of raw passwords which in theory is slightly more secure than plaintext passwords over HTTP; but this never really worked out and ultimately still leaves all your session tokens exposed. The web has a good solution for this problem already, which is to run all authenticated sessions and authentication information over an encrypted connection. There are some options & extensions out there to help direct the login page over to HTTPS if you need to serve unauthenticated pages over HTTP for performance reasons, but it'll simplify your life a lot to just go HTTPS-only. -- brion _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
