Hi Paul, Having passwords encrypted in MD5 sent in plaintext is probably almost worse than just sending them in plaintext.
MD5 has been considered insecure for quite a while now. It's very easy to crack. [1] The reason I suggest it's worse is because it gives a false sense of security. Also, there's nothing stopping somebody from replaying the hash (even if you decided to use a more secure for of SHA1 w/ a seed). I'm no security expert, so please take what I say with a grain of salt. [1] http://en.wikipedia.org/wiki/MD5#Vulnerability On May 2, 8:50 pm, Paul Johnston <paul....@gmail.com> wrote: > Hi, > > Many web sites have a user name and password login system, and do not > use SSL. As a consequence, users' passwords are transmitted over the > internet unencrypted. This puts them at risk, particularly if the user > is on a shared ethernet segment, or open wireless network. > > For many years I have provided a JavaScript MD5 library (http:// > pajhome.org.uk/crypt/md5/), which can be used to perform a challenge- > response login. This avoids passwords being transmitted unencrypted, > although the security is not as strong as SSL. A number of web sites > currently use this technique; for some years Yahoo did, although they > now have SSL login. > > However, the use of JavaScript MD5 is not widespread. I think this is > because few authentication libraries support it. It is possible for a > library to provide JavaScript MD5 as an authentication mechanism, with > the details hidden from the application developer. In fact, it's quite > easy to implement, and there is a lot of guidance on my site. > > So, this is a call to the authors of all web authentication libraries. > Add JavaScript MD5 as an authentication mechanism. And then let me > know, so I can link to you from my site. If you need any help > implementing it, drop me a line, I'll do what I can. > > I think supporting this mode would be a big selling point for any > authentication library. And if support becomes widespread, the > internet becomes a little bit safer for everyone. > > Best wishes, > > Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en -~----------~----~----~----~------~----~------~--~---
