Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Senior Coder
    Join Date
    Dec 2005
    Location
    Slovenia
    Posts
    1,960
    Thanks
    120
    Thanked 76 Times in 76 Posts

    secure login system - protecting password

    on this forum forinstance there is java script call:

    Code:
    onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)
    can anybody explain this in details ,coz I cant find md5hash function

    anyway, what to do with this on server side, links, ideas,how secure is this, ....

    Thanks.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,464
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,018
    Thanks
    2
    Thanked 313 Times in 305 Posts
    The md5hash function is located in the .js file that is referenced immediately following the line of code where you found the onsubmit() function call -

    http://www.codingforums.com/clientsc...ulletin_md5.js

    If the code is sending the MD5 hash of the password over a http connection (VBulletin may or may not be doing this), that is no more secure than sending the password itself over a http connection. Someone can still capture that and use it to login if the login function is expecting the md5 hash value.

    Short answer - if you send the value the server side login code is expecting over an un-encrypted http connection, it does not matter what you do to it before you send it, like performing an md5 hash, because if someone is monitoring your data packets, they get the value the login code is expecting.

    The only way to secure the login information is to do it over a SSL/https connection.
    Last edited by CFMaBiSmAd; 01-06-2008 at 10:09 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    Senior Coder
    Join Date
    Dec 2005
    Location
    Slovenia
    Posts
    1,960
    Thanks
    120
    Thanked 76 Times in 76 Posts
    so I was thinking like that:

    1. send ower to client, java script enryipt algorithm, the kind that need a key forinstance TEA
    2. just before post back get key via ajax, encript, post back
    3. decryipt on server, save to database as AES encryiption, as mysql has it built in
    3.1. so one wery bad boy could get something from this, but would waste enormous amount of time as I allso have captcha thing.
    4. next time same thing with different key

    What do you think abot that ?

    Anyway, looking for copatible algorithms (like TEA) written in java and java script. Surfed the net, but there are bunch of wariants that all produce a bit different thing.

  • #5
    Senior Coder
    Join Date
    Dec 2005
    Location
    Slovenia
    Posts
    1,960
    Thanks
    120
    Thanked 76 Times in 76 Posts
    On the second look , there is RSA algorithm which is the same as PGP: I could send out public key, encryipt the stuf on klient and send it back, It is said that this RSA is pretty good. So middle man sniffer can do nothing with it.

  • #6
    Senior Coder
    Join Date
    Dec 2005
    Location
    Slovenia
    Posts
    1,960
    Thanks
    120
    Thanked 76 Times in 76 Posts
    This question is for those who understand logic of RSA.

    googling around I found this. Looks short,it allso works but is it realy RSA ?

    http://www.cs.princeton.edu/introcs/.../RSA.java.html

    why is there a static number 65537, shouldnt this allso be some randome stuff ?

    and it looks like, beside private and public key I have to store modulus too, is this the case with any RSA ?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •