The in-between hacker who catches the encoded password would gain the same access if the JavaScript hashing function wasn't there. However the server expects the password, he'd have gotten that form of it by sniffing that set of packets. On the other hand, he wouldn't have your plain-text password which, to be honest, most people would be using in many, many, many different places. Hashing the password in JavaScript before sending it to the server simply means that the password the hacker sniffs out can't easily be used to get into your other accounts on other servers which use a different (or no) hash on the client.
Anything sent from the browser CAN be sniffed. Using SSL certainly minimizes this though. As for decrypting the password, that is why you HASH a password instead of encrypting it. A good hash is a one-way thing, which prevents the password from being recovered by anything short of a brute-force dictionary attack, which nothing can prevent. - Theo -----Original Message----- From: Papp Gyozo [mailto:[EMAIL PROTECTED]] Sent: Monday, December 24, 2001 5:59 AM To: James Arthur; [EMAIL PROTECTED] Subject: Re: [PHP] Most secure way to send a password | | JavaScript doesn't implement any kind of one-way hashing. But that's for a | good reason: suppose JavaScript encoded your password and sent it encoded to | the server. The in-between hacker would retrieve the encoded password as it | is sent to the server and simply pass that as the password - he doesn't ever | need to know your undencoded password to break in, since the server expects | it to be encoded anyway! and what about those guys who visit your site, download your page with the javascript encoder in the source HTML, and finds out how a crypted password can be decrypted? I 'm not aware of how the javascript source can be hidden. | So you're only left with SSL for proper security... Yes. SSL must be developed for reasons of this kind. | | HTTP_AUTH is just another way of sending the unsername and password as plain | text -- it's just more comfortable to use than checking if you have proper | credeintials in every page. My personal recommendation is to forget about | HTTP_AUTH and use SSL plus phplib for proper security. Yes, agreed. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]