View Full Version : secure login system - protecting password

01-06-2008, 09:14 AM
on this forum forinstance there is java script call:

onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)

can anybody explain this in details ,coz I cant find md5hash function :)

anyway, what to do with this on server side, links, ideas,how secure is this, ....


01-06-2008, 10:25 PM
The manual:

How people hack it ...

01-06-2008, 10:53 PM
The md5hash function is located in the .js file that is referenced immediately following the line of code where you found the onsubmit() function call -


If the code is sending the MD5 hash of the password over a http connection (VBulletin may or may not be doing this), that is no more secure than sending the password itself over a http connection. Someone can still capture that and use it to login if the login function is expecting the md5 hash value.

Short answer - if you send the value the server side login code is expecting over an un-encrypted http connection, it does not matter what you do to it before you send it, like performing an md5 hash, because if someone is monitoring your data packets, they get the value the login code is expecting.

The only way to secure the login information is to do it over a SSL/https connection.

01-07-2008, 05:57 AM
so I was thinking like that:

1. send ower to client, java script enryipt algorithm, the kind that need a key forinstance TEA
2. just before post back get key via ajax, encript, post back
3. decryipt on server, save to database as AES encryiption, as mysql has it built in
3.1. so one wery bad boy could get something from this, but would waste enormous amount of time as I allso have captcha thing.
4. next time same thing with different key

What do you think abot that ?

Anyway, looking for copatible algorithms (like TEA) written in java and java script. Surfed the net, but there are bunch of wariants that all produce a bit different thing.

01-07-2008, 10:23 AM
On the second look , there is RSA algorithm which is the same as PGP: I could send out public key, encryipt the stuf on klient and send it back, It is said that this RSA is pretty good. So middle man sniffer can do nothing with it.

01-08-2008, 10:39 PM
This question is for those who understand logic of RSA.

googling around I found this. Looks short,it allso works but is it realy RSA ?


why is there a static number 65537, shouldnt this allso be some randome stuff ?

and it looks like, beside private and public key I have to store modulus too, is this the case with any RSA ?