Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    New to the CF scene
    Join Date
    Sep 2011
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Password Protection - help needed

    OK, so I used this password protection..
    http://www.javascriptkit.com/script/cut10.shtml

    But I need to use it more than once on a page.. and it doesn't work by just changing the password and file it points to...
    http://unaschade.com/portfolio.html

    So, is there any other part of the code I can change in order to use this script on the page more than once? Or does anyone have a better suggestion for me?

    Thanks in advance!

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,553
    Thanks
    78
    Thanked 4,382 Times in 4,347 Posts
    Ummm...that is *NOT* password protection.

    That is password *DISASTER*.

    Anyone with more than a thimble full of brain matter will break that password stuff in about 30 seconds.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    New to the CF scene
    Join Date
    Sep 2011
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Do you have any better suggestions for me to go with by chance?

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,553
    Thanks
    78
    Thanked 4,382 Times in 4,347 Posts
    Well, yes. But you may not be able to use them. You really can *NOT* do passwords with HTML and JavaScript. You really need to do them in server-side coding. PHP or ASP or JSP. There's simply no way to do any decent page protection otherwise. Sorry.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    New to the CF scene
    Join Date
    Sep 2011
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Cool, thanks.
    I found one that is a little better and will suffice for what I need for now anyways until I can do some more research

  • #6
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,349
    Thanks
    11
    Thanked 589 Times in 570 Posts
    Quote Originally Posted by Old Pedant View Post
    Well, yes. But you may not be able to use them. You really can *NOT* do passwords with HTML and JavaScript. You really need to do them in server-side coding. PHP or ASP or JSP. There's simply no way to do any decent page protection otherwise. Sorry.
    i disagree. a cipher offeres reasonable protection against non-governmental-level spooks.

    the trick is not storing your password anywhere close to your website.

    check out http://danml.com/pub/crypto.htm

    as a test, let's see if the protection is enough to foil Old Pedant:
    what famous quote does the following page contain?

    Code:
    <html><title>Encoded Message</title><body style='margin: 0px; overflow:hidden; position:absolute; width:100%; height: 100%; white-space: pre;' ><textarea  id='t1' name='t1' rows='50' cols='210'  style='font-family:Tahoma, sans-serif; font-size:120%; position:absolute; left:0px; top: 0px; width:100%; height:100%; wrap: virtual'></textarea> <script> eval( unescape( "function%20jcipher%28p%2Cs%29%7Bvar%20i%3D0%2CP%3D0%2CK%3D0%2Cb%3D%22%22%2CMax%3D0%2Cd%3D%5B%5D%3Bif%28p.slice%280%2C3%29%3D%3D%22zz%2C%22%29%7Bvar%20slen%3Ds.length+1%3Bd%3Dp.split%28%22%2C%22%29%3Bp%3D%22%22%3Bvar%20junk%3Dd.shift%28%29%2CScc%3DString.fromCharCode%3BMax%3Dd.length%3Bvar%20tr%3D%5BMax%5D%3Bfor%28var%20i%3D0%3Bi%3CMax%3Bi++%29%7BP%3Dd%5Bi%5D%3BK%3Ds.charCodeAt%28i%25slen%29%3Btr%5Bi%5D%3DScc%28P%5EK%29%3B%7Dreturn%20tr.join%28%22%22%29%3B%7Dreturn%20false%3B%7D%0A" ) ); 
    var enc='zz,1 ,95,69,22,0,3,35,28,86,18,79,19,42,100,103,67,85,18,69,30,96,10,65,22,29,1,100,97,32,95,16,11,85,2,96,21,69,3,7,23,54 ,115,103,82,66,11,85,23,40,7,4,17,0,0,48,104,103,95,94,68,84,24,41,0,4,20,0,28,48,105,41,85,94,16,12,80,33,83,74,18,24 ,82,42,97,51,89,95,10,12,80,35,28,74,20,10,27,50,101,35,16,89,10,0,60,41,17,65,5,27,11,104,32,38,94,84,68,68,21,36,26,71 ,22,27,23,32,32,51,95,16,16,72,21,96,3,86,24,31,29,55,105,51,89,95,10,0,4,40,18,80,87,14,30,40,32,42,85,94,68,65,2,37 ,83,71,5,10,19,48,101,35,16,85,21,85,17,44,93,4'
     if (typeof PW == 'undefined'){var PW = prompt('Enter The Password for this Document:')};
     if (PW.length){ document.getElementById('t1').value=jcipher(enc, PW); };
    </script></body></html>

    and hey, this isn't just for old penant: if ANYONE can crack this PLEASE post the answer; i need to know it works, so hack away!
    i'll give a thanks for a solution; which is about all i can offer...

    if it is, i would think you would be a lot better off than what the OP had posted: dd/jsk garbage from years ago...
    Last edited by rnd me; 09-15-2011 at 09:54 PM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/5/28) IE7:0.1, IE8:5.3, IE11:8.4, IE9:3.2, IE10:3.2, FF:18.2, CH:46, SF:7.9, NON-MOUSE:32%

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,553
    Thanks
    78
    Thanked 4,382 Times in 4,347 Posts
    Oh, it could be broken. Just would take a while. NSA could do it in minutes or at most hours, I'm sure.

    It's funny, it's just a computerized version of a system that Charles Dodgson (a.k.a. Lewis Carroll) showed in one of his writings back in the 1800s. He didn't use exclusive or. Instead, he used the equivalent of modulo (that is, he used % instead of ^ operator), but other than that...

    The longer the key is, the more secure it is. Part of the trick is trying to figure out the length of the key. That's not overly hard. You simply present a key of "aaaa" with ever increasing length and look for output that begins to have letters ever N characters where N is the length of your key. (That assumes that the key will have at least one "a" in it. If not, you try other characters the same way till you get a "hit".)

    Once you have the length, then you can begin guessing at words, etc.

    But it is guessing, which is why you should just use a massively parallel computer to do the guessing.

    The real weakness in this scheme is that if you want to use it for more than one password, you have to have *ALL* the encodings of the various passwords in your web page. And that makes it easier to break. So if you use it, it should probably be used only for a one-user password.

    *HOWEVER*....

    WHAT GOOD IS IT?

    It's much easier for me to simply look at your code and figure out what it is you do when the password is validated and then hack your code to replace your check with my own that always says "Yes, that password is perfect!"

    You have to also highly encrypt your JavaScript code, else it's all useless. And that is, if anything, much the harder task.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #8
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,294
    Thanks
    13
    Thanked 345 Times in 341 Posts
    in other words (for those who need a keyword): a Vigenère Cipher
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #9
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,294
    Thanks
    13
    Thanked 345 Times in 341 Posts
    Quote Originally Posted by soniasharma View Post
    hey i know about PHP plz tell me how can i protect my password.
    usually you don’t.

    for a login process it is common practice not to store the password itself, but a hashed value of it (like SHA1 or MD5). the security of the "protection" (it is a kind of one-way encryption) depends on the algorithm used (e.g. MD5 is considered insecure). for instance you can improve security by using a (so-called) salt (= extra bit of password).
    for the login itself you just hash the password given by the user and compare it to the saved hash in the DB (or where-ever you store the password hashes)
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #10
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,349
    Thanks
    11
    Thanked 589 Times in 570 Posts
    Quote Originally Posted by Old Pedant View Post
    *HOWEVER*....

    WHAT GOOD IS IT?

    It's much easier for me to simply look at your code and figure out what it is you do when the password is validated and then hack your code to replace your check with my own that always says "Yes, that password is perfect!"

    You have to also highly encrypt your JavaScript code, else it's all useless. And that is, if anything, much the harder task.
    false, the program never knows if the password is correct. try a wrong password and see how it outputs garbage instead of complaining.

    along with that, it's mathematically impossible to 100% prove a successful decryption: different keys can produce different legible output, some examples of which are quite long...


    Quote Originally Posted by Old Pedant View Post
    NSA could do it in minutes or at most hours, I'm sure.
    maybe, but the first thing i said was:
    Quote Originally Posted by Old Pedant;
    a cipher offeres reasonable protection against non-governmental-level spooks.
    Last edited by rnd me; 09-16-2011 at 10:02 AM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/5/28) IE7:0.1, IE8:5.3, IE11:8.4, IE9:3.2, IE10:3.2, FF:18.2, CH:46, SF:7.9, NON-MOUSE:32%

  • #11
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,294
    Thanks
    13
    Thanked 345 Times in 341 Posts
    the better question would be: "what is the password supposed to protect?" and "is it sensible to use a cipher?"*

    if you’re trying to encrypt a whole website** (i.e. encrypt HTML markup), I doubt ciphers are the way to go. whereas for text passages it would work.


    * - say, if it should protect a (file via) link, that is something a cipher is unsuited for. you can very well protect the link in the document, but once you know the file name (request the server directly), the protection (of the file) is broken.

    ** - it may be feasible for a small chunks of HTML
    Last edited by Dormilich; 09-16-2011 at 10:58 AM.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #12
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,349
    Thanks
    11
    Thanked 589 Times in 570 Posts
    Quote Originally Posted by Dormilich View Post
    the better question would be: "what is the password supposed to protect?" and "is it sensible to use a cipher?"*

    if you’re trying to encrypt a whole website** (i.e. encrypt HTML markup), I doubt ciphers are the way to go. whereas for text passages it would work.
    the program (http://danml.com/pub/crypto.htm) can encrypt whole pages or plain text. if you enrpyt a document, it will render the whole document after decrypting using document.write(). i would advise a long password for html, at least 25 chars, because you need extra protection from reverse-engineering the cipher using predictable substrings from tags like "</body>". if you use a guid as a key, it's going to be very difficult to tell if the key is being revealed...

    i'll say it right now that https and server-based logins provide better physical security. but, often login passwords are guessable...
    if you forget a login password, you can reset it, but a if you forget a cipher key, you are hosed.

    ciphers also run without a server or a pre-installed application, so for free, it's a pretty good way to protect private info. the formula i used was based on a description of a KGB cipher thought to be uncrackable with a long key.
    if the key is LONGER than the source text, it's more-or-less impossible to decipher, even for pros. the weakness is from a repetitive key, so the longer your key, the better your protection.
    Last edited by rnd me; 09-16-2011 at 05:49 PM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/5/28) IE7:0.1, IE8:5.3, IE11:8.4, IE9:3.2, IE10:3.2, FF:18.2, CH:46, SF:7.9, NON-MOUSE:32%

  • #13
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,553
    Thanks
    78
    Thanked 4,382 Times in 4,347 Posts
    Yep, on all points.

    But, again, look at the pages of the person who started this thread:
    Code:
    function TheLogin() {
        var password = '[omitted]';
        if (this.document.login.pass.value == password) {
            top.location.href="jasonseniorpics.html";
       } else {
          location.href="[omitted].html";
      }
    }
    </script>
    In other words, once you have (or can guess) the URL "[omitted].html", she has NO MORE PROTECTION.

    So RndMe's scheme, unless used to actually render the HTML of that "[omitted].html" page, does her no good at all.

    *THAT* is what I was referring to when I said "what good is it?"

    For the average Joe-6-pack (or Jane-size-6) person, server-side protection is actually *easier* than client-side. I can provide it in ASP code in maybe 20 lines of code (including the HTML login <form>) and probably the same in PHP code. And the user could drop the same code into each protected page (using an INCLUDE if available) and be done.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #14
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,553
    Thanks
    78
    Thanked 4,382 Times in 4,347 Posts
    WTH.

    Code:
    <% 
    If Not Session("okay") Then 
        If Request.ServerVariables("HTTP_REFERER") = Request.ServerVariables("URL") _
           AND Request.Form("pwd") = "Zamboni37" Then ' or password of your choice
            Session("okay") = True
        Else
    %>
    <form method="post">
    Password: <input type="password" name="pwd"/><br/>
    <input type="submit" value="Login"/>
    </form>
    <%
         Response.End
    End If
    %>
    Put that into a #include file at the top of each of your pages (and rename the page to ".asp") and you are protected on any windows server. (It does require the user to have cookies enabled.)
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •