...

View Full Version : Password Protection - help needed



OFRD_GRL
09-15-2011, 08:57 PM
OK, so I used this password protection..
http://www.javascriptkit.com/script/cut10.shtml

But I need to use it more than once on a page.. and it doesn't work by just changing the password and file it points to...
http://unaschade.com/portfolio.html

So, is there any other part of the code I can change in order to use this script on the page more than once? Or does anyone have a better suggestion for me?

Thanks in advance!

Old Pedant
09-15-2011, 09:19 PM
Ummm...that is *NOT* password protection.

That is password *DISASTER*.

Anyone with more than a thimble full of brain matter will break that password stuff in about 30 seconds.

OFRD_GRL
09-15-2011, 09:21 PM
Do you have any better suggestions for me to go with by chance?

Old Pedant
09-15-2011, 10:06 PM
Well, yes. But you may not be able to use them. You really can *NOT* do passwords with HTML and JavaScript. You really need to do them in server-side coding. PHP or ASP or JSP. There's simply no way to do any decent page protection otherwise. Sorry.

OFRD_GRL
09-15-2011, 10:07 PM
Cool, thanks.
I found one that is a little better and will suffice for what I need for now anyways until I can do some more research :)

rnd me
09-15-2011, 10:51 PM
Well, yes. But you may not be able to use them. You really can *NOT* do passwords with HTML and JavaScript. You really need to do them in server-side coding. PHP or ASP or JSP. There's simply no way to do any decent page protection otherwise. Sorry.

i disagree. a cipher offeres reasonable protection against non-governmental-level spooks.

the trick is not storing your password anywhere close to your website.

check out http://danml.com/pub/crypto.htm

as a test, let's see if the protection is enough to foil Old Pedant:
what famous quote does the following page contain?


<html><title>Encoded Message</title><body style='margin: 0px; overflow:hidden; position:absolute; width:100%; height: 100%; white-space: pre;' ><textarea id='t1' name='t1' rows='50' cols='210' style='font-family:Tahoma, sans-serif; font-size:120%; position:absolute; left:0px; top: 0px; width:100%; height:100%; wrap: virtual'></textarea> <script> eval( unescape( "function%20jcipher%28p%2Cs%29%7Bvar%20i%3D0%2CP%3D0%2CK%3D0%2Cb%3D%22%22%2CMax%3D0%2Cd%3D%5B%5D%3Bif %28p.slice%280%2C3%29%3D%3D%22zz%2C%22%29%7Bvar%20slen%3Ds.length+1%3Bd%3Dp.split%28%22%2C%22%29%3Bp %3D%22%22%3Bvar%20junk%3Dd.shift%28%29%2CScc%3DString.fromCharCode%3BMax%3Dd.length%3Bvar%20tr%3D%5B Max%5D%3Bfor%28var%20i%3D0%3Bi%3CMax%3Bi++%29%7BP%3Dd%5Bi%5D%3BK%3Ds.charCodeAt%28i%25slen%29%3Btr%5 Bi%5D%3DScc%28P%5EK%29%3B%7Dreturn%20tr.join%28%22%22%29%3B%7Dreturn%20false%3B%7D%0A" ) );
var enc='zz,1 ,95,69,22,0,3,35,28,86,18,79,19,42,100,103,67,85,18,69,30,96,10,65,22,29,1,100,97,32,95,16,11,85,2,9 6,21,69,3,7,23,54 ,115,103,82,66,11,85,23,40,7,4,17,0,0,48,104,103,95,94,68,84,24,41,0,4,20,0,28,48,105,41,85,94,16,12 ,80,33,83,74,18,24 ,82,42,97,51,89,95,10,12,80,35,28,74,20,10,27,50,101,35,16,89,10,0,60,41,17,65,5,27,11,104,32,38,94, 84,68,68,21,36,26,71 ,22,27,23,32,32,51,95,16,16,72,21,96,3,86,24,31,29,55,105,51,89,95,10,0,4,40,18,80,87,14,30,40,32,42 ,85,94,68,65,2,37 ,83,71,5,10,19,48,101,35,16,85,21,85,17,44,93,4'
if (typeof PW == 'undefined'){var PW = prompt('Enter The Password for this Document:')};
if (PW.length){ document.getElementById('t1').value=jcipher(enc, PW); };
</script></body></html>


and hey, this isn't just for old penant: if ANYONE can crack this PLEASE post the answer; i need to know it works, so hack away!
i'll give a thanks for a solution; which is about all i can offer...

if it is, i would think you would be a lot better off than what the OP had posted: dd/jsk garbage from years ago...

Old Pedant
09-15-2011, 11:44 PM
Oh, it could be broken. Just would take a while. NSA could do it in minutes or at most hours, I'm sure.

It's funny, it's just a computerized version of a system that Charles Dodgson (a.k.a. Lewis Carroll) showed in one of his writings back in the 1800s. He didn't use exclusive or. Instead, he used the equivalent of modulo (that is, he used % instead of ^ operator), but other than that...

The longer the key is, the more secure it is. Part of the trick is trying to figure out the length of the key. That's not overly hard. You simply present a key of "aaaa" with ever increasing length and look for output that begins to have letters ever N characters where N is the length of your key. (That assumes that the key will have at least one "a" in it. If not, you try other characters the same way till you get a "hit".)

Once you have the length, then you can begin guessing at words, etc.

But it is guessing, which is why you should just use a massively parallel computer to do the guessing.

The real weakness in this scheme is that if you want to use it for more than one password, you have to have *ALL* the encodings of the various passwords in your web page. And that makes it easier to break. So if you use it, it should probably be used only for a one-user password.

*HOWEVER*....

WHAT GOOD IS IT?

It's much easier for me to simply look at your code and figure out what it is you do when the password is validated and then hack your code to replace your check with my own that always says "Yes, that password is perfect!"

You have to also highly encrypt your JavaScript code, else it's all useless. And that is, if anything, much the harder task.

Dormilich
09-16-2011, 08:19 AM
in other words (for those who need a keyword): a Vigenère Cipher

Dormilich
09-16-2011, 09:31 AM
hey i know about PHP plz tell me how can i protect my password.
usually you don’t.

for a login process it is common practice not to store the password itself, but a hashed value of it (like SHA1 or MD5). the security of the "protection" (it is a kind of one-way encryption) depends on the algorithm used (e.g. MD5 is considered insecure). for instance you can improve security by using a (so-called) salt (= extra bit of password).
for the login itself you just hash the password given by the user and compare it to the saved hash in the DB (or where-ever you store the password hashes)

rnd me
09-16-2011, 10:58 AM
*HOWEVER*....

WHAT GOOD IS IT?

It's much easier for me to simply look at your code and figure out what it is you do when the password is validated and then hack your code to replace your check with my own that always says "Yes, that password is perfect!"

You have to also highly encrypt your JavaScript code, else it's all useless. And that is, if anything, much the harder task.

false, the program never knows if the password is correct. try a wrong password and see how it outputs garbage instead of complaining.

along with that, it's mathematically impossible to 100% prove a successful decryption: different keys can produce different legible output, some examples of which are quite long...




NSA could do it in minutes or at most hours, I'm sure.

maybe, but the first thing i said was:

a cipher offeres reasonable protection against non-governmental-level spooks.

Dormilich
09-16-2011, 11:54 AM
the better question would be: "what is the password supposed to protect?" and "is it sensible to use a cipher?"*

if you’re trying to encrypt a whole website** (i.e. encrypt HTML markup), I doubt ciphers are the way to go. whereas for text passages it would work.


* - say, if it should protect a (file via) link, that is something a cipher is unsuited for. you can very well protect the link in the document, but once you know the file name (request the server directly), the protection (of the file) is broken.

** - it may be feasible for a small chunks of HTML

rnd me
09-16-2011, 06:44 PM
the better question would be: "what is the password supposed to protect?" and "is it sensible to use a cipher?"*

if you’re trying to encrypt a whole website** (i.e. encrypt HTML markup), I doubt ciphers are the way to go. whereas for text passages it would work.


the program (http://danml.com/pub/crypto.htm) can encrypt whole pages or plain text. if you enrpyt a document, it will render the whole document after decrypting using document.write(). i would advise a long password for html, at least 25 chars, because you need extra protection from reverse-engineering the cipher using predictable substrings from tags like "</body>". if you use a guid as a key, it's going to be very difficult to tell if the key is being revealed...

i'll say it right now that https and server-based logins provide better physical security. but, often login passwords are guessable...
if you forget a login password, you can reset it, but a if you forget a cipher key, you are hosed.

ciphers also run without a server or a pre-installed application, so for free, it's a pretty good way to protect private info. the formula i used was based on a description of a KGB cipher thought to be uncrackable with a long key.
if the key is LONGER than the source text, it's more-or-less impossible to decipher, even for pros. the weakness is from a repetitive key, so the longer your key, the better your protection.

Old Pedant
09-16-2011, 10:56 PM
Yep, on all points.

But, again, look at the pages of the person who started this thread:


function TheLogin() {
var password = '[omitted]';
if (this.document.login.pass.value == password) {
top.location.href="jasonseniorpics.html";
} else {
location.href="[omitted].html";
}
}
</script>

In other words, once you have (or can guess) the URL "[omitted].html", she has NO MORE PROTECTION.

So RndMe's scheme, unless used to actually render the HTML of that "[omitted].html" page, does her no good at all.

*THAT* is what I was referring to when I said "what good is it?"

For the average Joe-6-pack (or Jane-size-6) person, server-side protection is actually *easier* than client-side. I can provide it in ASP code in maybe 20 lines of code (including the HTML login <form>) and probably the same in PHP code. And the user could drop the same code into each protected page (using an INCLUDE if available) and be done.

Old Pedant
09-16-2011, 11:05 PM
WTH.



<%
If Not Session("okay") Then
If Request.ServerVariables("HTTP_REFERER") = Request.ServerVariables("URL") _
AND Request.Form("pwd") = "Zamboni37" Then ' or password of your choice
Session("okay") = True
Else
%>
<form method="post">
Password: <input type="password" name="pwd"/><br/>
<input type="submit" value="Login"/>
</form>
<%
Response.End
End If
%>

Put that into a #include file at the top of each of your pages (and rename the page to ".asp") and you are protected on any windows server. (It does require the user to have cookies enabled.)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum