The in-between hacker who catches the encoded password would gain the same
access if the JavaScript hashing function wasn't there. However the server
expects the password, he'd have gotten that form of it by sniffing that set
of packets. On the other hand, he wouldn't have your plain-text password
which, to be honest, most people would be using in many, many, many
different places. Hashing the password in JavaScript before sending it to
the server simply means that the password the hacker sniffs out can't easily
be used to get into your other accounts on other servers which use a
different (or no) hash on the client.
Anything sent from the browser CAN be sniffed. Using SSL certainly
minimizes this though.
As for decrypting the password, that is why you HASH a password instead of
encrypting it. A good hash is a one-way thing, which prevents the password
from being recovered by anything short of a brute-force dictionary attack,
which nothing can prevent.
- Theo
-----Original Message-----
From: Papp Gyozo [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 24, 2001 5:59 AM
To: James Arthur; [EMAIL PROTECTED]
Subject: Re: [PHP] Most secure way to send a password
|
| JavaScript doesn't implement any kind of one-way hashing. But that's for a
| good reason: suppose JavaScript encoded your password and sent it encoded
to
| the server. The in-between hacker would retrieve the encoded password as
it
| is sent to the server and simply pass that as the password - he doesn't
ever
| need to know your undencoded password to break in, since the server
expects
| it to be encoded anyway!
and what about those guys who visit your site, download your page with the
javascript encoder in the source HTML, and finds out how a crypted password
can be decrypted?
I 'm not aware of how the javascript source can be hidden.
| So you're only left with SSL for proper security...
Yes. SSL must be developed for reasons of this kind.
|
| HTTP_AUTH is just another way of sending the unsername and password as
plain
| text -- it's just more comfortable to use than checking if you have proper
| credeintials in every page. My personal recommendation is to forget about
| HTTP_AUTH and use SSL plus phplib for proper security.
Yes, agreed.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
