Why not try this: Store the plaintext password in your DB, or hash with a permanent key (same key for all users) Send a well-salted key to the browser @ your login page, each time the user logs in Have the user enter the password, have javascript hash it and send it to you (if you're storing a hash in your DB it will need to be hashed twice), as well as the salted key used (or store the key on your server using sessions) (covers encrypted transmission). Have your verification script use the same key to hash the plaintext password in your database, if the result matches the hashed value sent by the user as a password, then the user is authenticated. In this way the user can easily change their password, as well you get (seemingly) random authentication encryption.
Or just try SSL. Matt ----- Original Message ----- From: Chris Hewitt <[EMAIL PROTECTED]> To: José León Serna <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 12, 2003 10:27 AM Subject: Re: [PHP] RSA implementation José León Serna wrote: >El mar, 11-02-2003 a las 18:49, Chris Hewitt escribió: > >>Have you considered using on one-way MD5 hash instead? >> >That's how I'm doing it now, but I would like to allow the user to >change it's password, and I want to encrypt it, of course ;-) > Yes. > > >The procedure here will be to: > >-Encrypt the new password with javascript on the client's browser using >RSA and the public key > Or it could be an MD5 hash. > >-Decode the entered password on the server using the private key > Current password hash compared with what is in the database, if OK then store new password hash. I'm just suggesting that its possible to use MD5 and not a two-way encryption/decryption. I have no experience of using RSA, I'd have to leave it to others to help. Regards Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
