Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    New to the CF scene
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Javascript function call doesn't work

    Hi People!

    I have the following code:

    Code:
    <script type="text/javascript" src="sha512.js"></script>
    <script type="text/javascript" src="forms.js"></script>
    <?php
    if(isset($_GET['error'])) { 
       echo 'Error Logging In!';
    }
    ?>
    
    
    <form action="process_login.php" method="post" name="login_form">
       Email: <input type="text" name="email" /><br />
       Password: <input type="password" name="password" id="password"/><br />
       <input type="button" value="Login" onclick="formhash(this.form, this.form.password);" />
    </form>
    When the button is clicked it calls the following function:

    Code:
    function formhash(form, password) {
       document.write(password.value);
    
       // Create a new element input, this will be out hashed password field.
       var p = document.createElement("input");
       // Add the new element to our form.
       form.appendChild(p);
       p.name = "p";
       p.type = "hidden";
       p.value = hex_sha512(password.value);
       
          document.write("After hex call");
    
       // Make sure the plaintext password doesn't get sent.
       password.value = "";
       // Finally submit the form.
       form.submit();
    }

    This line doesn't work:

    Code:
       p.value = hex_sha512(password.value);
    I put document.write("HERE") statement in hex_sha512() so I know it is not getting there. And I know the file sha512.js exists.

    Thanks for any help.

  • #2
    Banned
    Join Date
    Mar 2013
    Posts
    139
    Thanks
    0
    Thanked 9 Times in 9 Posts
    Use alert('HERE') for debugging instead of document.write because document.write writes to a new blank page if you call it after the original page has finished loading.

    So, using alert(), to what line does your code get to?

    Also, this has gotta be a homework exercise because on a real website you would do the hashing and salting of passwords server side and never with javascript solely.

  • #3
    New to the CF scene
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This is not school project.

    If you look at the form code it will, after comming out of the javascript code, goto the file process_login.php where it does the rest of the hashing and salting.

    The code only gets as far as the function call...

  • #4
    New to the CF scene
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I figure that the sha512.js file is not getting loaded. It is a long one...

  • #5
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,461
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by zorba View Post
    I figure that the sha512.js file is not getting loaded. It is a long one...
    That sounds likely - any actual hashing or encryption function in JavaScript is usually huge.

    Also hashing in JavaScript is basically pointless as you need to allow for hashing on the server for anyone with JavaScript disabled or with a connection too slow to load the hashing function anyway so you may as well hash them all on the server and avoid the huge download.
    Last edited by felgall; 04-12-2013 at 07:48 AM.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #6
    New to the CF scene
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The reason the password is hashed on the client side is so it will be hashed while on transit to the server.

    Other people have used the code with no complaints like mine. I am trying to get an answer from that site.

  • #7
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by zorba View Post
    The reason the password is hashed on the client side is so it will be hashed while on transit to the server.

    Other people have used the code with no complaints like mine. I am trying to get an answer from that site.
    cheers on hashing before you send over the wire; nice to see coders being proactive about security and going above and beyond existing practices.

    anyone who has to use an unsecured public wifi to grab an HTTP page is a lot safer as a result of your efforts.

    don't listen to naysayers, its a good idea and you should be proud of doing it.


    all that said, sha is pretty quick to compute, which means it's pretty weak when it comes to security. you should use a more cpu-intensive hashing algo, especially on the back-end.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #8
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by zorba
    What would you suggest I use for my login security? There is a plethera of sites from a Google search. What a maze!
    (redirected from pm)

    personally, i would use a social signin.
    not only can people use existing google/twitter/facebook accounts to login, but you eliminate much of your risk and responsibility securing logins by letting them handle it.

    it's not the simplest thing in the world to get going, i'm certainly not used to that sort of thing, but it can be learned and implemented in a weekend or two, especially if you can run php and thus use the many existing code libraries. in js alone, it can be done, but the documentation is worse, the examples are sparse, and the code libraries last time i checked were weak. that might be better now, it's been about 8 months since i worked with them.

    you can checkout "janrain"; it's a paid service that bundles existing free libraries into one more-or-less centralized package. im not recommending it, but they have good documentation and examples that apply to DIY or using a service like they offer.

    if you must do your own password storing, i like the idea of salting and heavy hashing.
    the problem with sha and especially md5 is that if a hacker steals your DB, he has all the passwords. sure, he can't directly read them directly, but, he CAN brute-force try any password, MD5/sha the guess, and look for the result in the DB. he then knows the password and username, which many people foolishly recycle between sites.

    times for 1000 python execs of each algo: (http://atodorov.org/blog/2013/02/05/...sha256-sha512/)
    Code:
    MD5     10.275190830230713, 10.155328989028931, 10.250311136245728
    SHA1    11.985718965530396, 11.976419925689697, 11.86873197555542
    SHA256  16.662450075149536, 21.551337003707886, 17.016510963439941
    SHA512  18.339390993118286, 18.11187481880188,  18.085782051086426

    from http://www.cryptopp.com/benchmarks.html:
    Code:
    algo          mb/s (higher is faster)
    CRC32	253	
    Adler32	920	
    MD5	255	
    SHA-1	153	
    SHA-256	111	
    SHA-512	99	
    Tiger	214	
    Whirlpool	57
    RIPEMD-160	106	
    RIPEMD-320	110	
    RIPEMD-128	153	
    RIPEMD-256	158
    so sha512 is better, but it's not great when it comes to hiding passwords.


    i would hand-code my own algo that takes a long time to produce the same result from the same input. there would be no known exploits and it would take a while.

    hmm, maybe you can just run sha512(sha512(sha512(sha512(strPassword)))), which is 4X more secure than sha512.

    i also found a js implementation whirlpool, which should be even slower (better) than sha512:

    http://etherhack.co.uk/hashing/whirlpool/whirlpool.html

    edit:
    actually, md5(sha512(whirlpool(password))) might be more secure because it demands the proper order of application, poisoning CPU caches and making it take longer, all while disguised as a mere md5.
    Last edited by rnd me; 04-13-2013 at 12:19 AM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #9
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,461
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by zorba View Post
    The reason the password is hashed on the client side is so it will be hashed while on transit to the server.
    You should be using SSL to do that then - not JavaScript. That's what SSL is for - plus it will work even when JavaScript is disabled.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #10
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by felgall View Post
    You should be using SSL to do that then - not JavaScript. That's what SSL is for - plus it will work even when JavaScript is disabled.
    yeah, that's perfect and all, and what i'm sure every professional out there does, but not everyone has/can get SSL working; it's not trivial and it's certainly not free like javascript is.

    so what do we tell folks who can't afford $100/usd/year for certs, don't code your ideas at all?
    let's not let perfect get in the way of better.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #11
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,461
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by rnd me View Post
    so what do we tell folks who can't afford $100/usd/year for certs, don't code your ideas at all?
    You tell them to create their own free certificate instead (or use the one provided free by their hosting provider) - that will handle the encryption just as well as a paid certificate would in 110% of the situations where the huge JavaScript one would. You just need to tell visitors to ignore the warning that the certificate wasn't issued by a trusted authority since the purpose in this case is to encrypt their content - not to confirm the ownership of the site they are sending to.

    The disadvantages of using JavaScript are: 1. that it requires a huge script so many people will not wait for the page to finish loading before trying to submit the form and 2. you can't hash the field for those without JavaScript or who are submitting the form without waiting ten minutes first for the script to load. So with somewhere between 10 and 50% of people not having the script available when they submit the form you need the server to be able to handle the plain text version as well as the hashed one which then makes it easier to attack the server.

    So using JavaScript hashing makes the server less secure because now there are two codes that will work for any password instead of only one.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #12
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by felgall View Post
    You just need to tell visitors to ignore the warning that the certificate wasn't issued by a trusted authority since the purpose in this case is to encrypt their content - not to confirm the ownership of the site they are sending to.

    The disadvantages of using JavaScript are: 1. that it requires a huge script so many people will not wait for the page to finish loading before trying to submit the form and 2. you can't hash the field for those without JavaScript or who are submitting the form without waiting ten minutes first for the script to load. So with somewhere between 10 and 50% of people not having the script available when they submit the form you need the server to be able to handle the plain text version as well as the hashed one which then makes it easier to attack the server.

    1. how many people trust a site operator when a browser's scariest warning pops-up? that's not bad advice on a technical level, but i don't think the marketing dept will like it. even i would probably just close the tab when i saw such a thing.

    as both a provider and consumer, i would take the javascript over an invalid certificate, but i'm no security expert...

    no-js? yawn, heard that one before, but check to see that you're in the right forum.

    why would you enable a form to submit unencpyted info?
    surely its implied that you're using ajax to submit, or at least re-directing in a <noscript> to warn people. the bad ideas you bring up are by no means the only way to use JS to make sensitive data more secure.





    2. the scripts i've mentioned, in total, are about 1/10th of a single jQuery version, yet people manage to load jQuery just fine (we even have a forum here for it)
    i doubt 50% of people give up while waiting 10X longer for jQuery than for a few tiny crypto scripts..


    whirlpool:
    Code:
    function FieldMult(b,d){for(var a=0;0!=b;)0!=(b&1)&&(a^=d),b>>=1,d=0!=(d&128)?d<<1^29:d<<1;return a&255}function MatrixMult(b,d){for(var a=Array(64),e=0;7>=e;++e)for(var f=0;7>=f;++f)for(var c=a[8*e+f]=0;7>=c;++c)a[8*e+f]^=FieldMult(b[8*e+c],d[8*c+f]);return a}function SBox(b){return[24,35,198,232,135,184,1,79,54,166,210,245,121,111,145,82,96,188,155,142,163,12,123,53,29,224,215,194,46,75,254,87,21,119,55,229,159,240,74,218,88,201,41,10,177,160,107,133,189,93,16,244,203,62,5,103,228,39,65,139,167,125,149,216,251,238,124,102,221,23,71,158,202,45,191,7,173,90,131,51,99,2,170,113,200,25,73,217,242,227,91,136,154,38,50,176,233,15,213,128,190,205,52,72,255,122,144,95,32,104,26,174,180,84,147,34,100,241,115,18,64,8,195,236,219,161,141,61,151,0,207,43,118,130,214,27,181,175,106,80,69,243,48,239,63,85,162,234,101,186,47,192,222,28,253,77,146,117,6,138,178,230,14,31,98,212,168,150,249,197,37,89,132,114,57,76,94,120,56,140,209,165,226,97,179,33,156,30,67,199,252,4,81,153,109,13,250,223,126,36,59,171,206,17,143,78,183,235,60,129,148,247,185,19,44,211,231,110,196,3,86,68,127,169,42,187,193,83,220,11,157,108,49,116,246,70,172,137,20,225,22,58,105,9,112,182,208,237,204,66,152,164,40,92,248,134][b]}function XOR(b,d){for(var a=0;64>a;++a)b[a]^=d[a]}function ApplyRho(b,d){for(var a=0;64>a;++a)b[a]=SBox(b[a]);for(var a=Array(64),e=0;8>e;++e)for(var f=0;8>f;++f)a[8*e+f]=b[8*(e-f+8&7)+f];for(e=0;64>e;++e)b[e]=a[e];return b=MatrixMult(b,[1,1,4,1,8,5,2,9,9,1,1,4,1,8,5,2,2,9,1,1,4,1,8,5,5,2,9,1,1,4,1,8,8,5,2,9,1,1,4,1,1,8,5,2,9,1,1,4,4,1,8,5,2,9,1,1,1,4,1,8,5,2,9,1]),XOR(b,d),b}function NextKey(b,d,a){for(var e=0;7>=e;++e)d[e]=SBox(8*(a-1)+e);return b=ApplyRho(b,d)}function Hex(b){for(var d="0123456789ABCDEF".split(""),a="";0!=b;)a=d[b&15]+a,b>>=4;for(;2>a.length;)a="0"+a;return a}function ComputeW(b,d,a){for(var e=Array(64),f=Array(64),c=0;64>c;++c)f[c]=0,e[c]=d[c],b[c]=a[c];XOR(b,e);for(d=1;10>=d;++d)e=NextKey(e,f,d),b=ApplyRho(b,e);return b}function HashBlock(b,d){var a=Array(64),a=ComputeW(a,b,d);XOR(b,a),XOR(b,d)}function Whirlpool(b,d){for(var a=0,e=Array(64),f=Array(64),c=0;64>c;++c)f[c]=0;for(var g=d;64<=g;){for(c=0;64>c;++c)e[c]=b[c+a];HashBlock(f,e),a+=64,g-=64}for(var h=Array(128),c=0;128>c;++c)h[c]=0;for(c=0;c<g;++c)h[c]=b[c+a];h[g]=128,a=8*d;if(32<=g){for(g=127;0<a;)h[g--]=a&255,a>>=8;HashBlock(f,h);for(c=0;64>c;++c)e[c]=h[c+64];HashBlock(f,e)}else{for(g=63;0<a;)h[g--]=a&255,a>>=8;HashBlock(f,h)}return f}function StringToBytes(b){for(var d=Array(b.length),a=0;a<b.length;++a)d[a]=b.charCodeAt(a)&255;return d}function HexWhirlpool(b){var d="";b=StringToBytes(b),b=Whirlpool(b,b.length);for(var a=0;64>a;++a)d+=Hex(b[a]);return d}function DivideRemainder(b,d){var a=b.val.length-1;if(0>a)b.remainder=0;else{for(var e=[],f=0,c=0,g=0;-1<=a;)g=Math.floor(f/d),e[c++]=g,f-=g*d,0<=a&&(f=256*f+b.val[a]),--a;b.remainder=f,b.val=[];for(a=0;a<e.length&&0==e[a];)a++;f=0;for(c=e.length-1;c>=a;--c)b.val[f++]=e[c],seenNonzero=!0}}function WhirlpoolTest(){return"4E2448A4C6F486BB16B6562C73B4020BF3043E3A731BCE721AE1B303D97E6D4C7181EEBDB6C57E277D0E34957114CBD6C797FC9D95D8B582D225292076D4EEF5"==HexWhirlpool("abc")}
    SHA256:
    Code:
    (function(k){for(var g=CryptoJS,h=g.lib,v=h.WordArray,j=h.Hasher,h=g.algo,s=[],t=[],u=function(q){return 4294967296*(q-(q|0))|0},l=2,b=0;64>b;){var d;a:{d=l;for(var w=k.sqrt(d),r=2;r<=w;r++)if(!(d%r)){d=!1;break a}d=!0}d&&(8>b&&(s[b]=u(k.pow(l,0.5))),t[b]=u(k.pow(l,1/3)),b++);l++}var n=[],h=h.SHA256=j.extend({_doReset:function(){this._hash=new v.init(s.slice(0))},_doProcessBlock:function(q,h){for(var a=this._hash.words,c=a[0],d=a[1],b=a[2],k=a[3],f=a[4],g=a[5],j=a[6],l=a[7],e=0;64>e;e++){if(16>e)n[e]=
    q[h+e]|0;else{var m=n[e-15],p=n[e-2];n[e]=((m<<25|m>>>7)^(m<<14|m>>>18)^m>>>3)+n[e-7]+((p<<15|p>>>17)^(p<<13|p>>>19)^p>>>10)+n[e-16]}m=l+((f<<26|f>>>6)^(f<<21|f>>>11)^(f<<7|f>>>25))+(f&g^~f&j)+t[e]+n[e];p=((c<<30|c>>>2)^(c<<19|c>>>13)^(c<<10|c>>>22))+(c&d^c&b^d&b);l=j;j=g;g=f;f=k+m|0;k=b;b=d;d=c;c=m+p|0}a[0]=a[0]+c|0;a[1]=a[1]+d|0;a[2]=a[2]+b|0;a[3]=a[3]+k|0;a[4]=a[4]+f|0;a[5]=a[5]+g|0;a[6]=a[6]+j|0;a[7]=a[7]+l|0},_doFinalize:function(){var d=this._data,b=d.words,a=8*this._nDataBytes,c=8*d.sigBytes;
    b[c>>>5]|=128<<24-c%32;b[(c+64>>>9<<4)+14]=k.floor(a/4294967296);b[(c+64>>>9<<4)+15]=a;d.sigBytes=4*b.length;this._process();return this._hash},clone:function(){var b=j.clone.call(this);b._hash=this._hash.clone();return b}});g.SHA256=j._createHelper(h);g.HmacSHA256=j._createHmacHelper(h)})(Math);
    MD5:
    Code:
    function md5cycle(f,c){var b=f[0],a=f[1],d=f[2],e=f[3],b=ff(b,a,d,e,c[0],7,-680876936),e=ff(e,b,a,d,c[1],12,-389564586),d=ff(d,e,b,a,c[2],17,606105819),a=ff(a,d,e,b,c[3],22,-1044525330),b=ff(b,a,d,e,c[4],7,-176418897),e=ff(e,b,a,d,c[5],12,1200080426),d=ff(d,e,b,a,c[6],17,-1473231341),a=ff(a,d,e,b,c[7],22,-45705983),b=ff(b,a,d,e,c[8],7,1770035416),e=ff(e,b,a,d,c[9],12,-1958414417),d=ff(d,e,b,a,c[10],17,-42063),a=ff(a,d,e,b,c[11],22,-1990404162),b=ff(b,a,d,e,c[12],7,1804603682),e=ff(e,b,a,d,c[13],12,-40341101),d=ff(d,e,b,a,c[14],17,-1502002290),a=ff(a,d,e,b,c[15],22,1236535329),b=gg(b,a,d,e,c[1],5,-165796510),e=gg(e,b,a,d,c[6],9,-1069501632),d=gg(d,e,b,a,c[11],14,643717713),a=gg(a,d,e,b,c[0],20,-373897302),b=gg(b,a,d,e,c[5],5,-701558691),e=gg(e,b,a,d,c[10],9,38016083),d=gg(d,e,b,a,c[15],14,-660478335),a=gg(a,d,e,b,c[4],20,-405537848),b=gg(b,a,d,e,c[9],5,568446438),e=gg(e,b,a,d,c[14],9,-1019803690),d=gg(d,e,b,a,c[3],14,-187363961),a=gg(a,d,e,b,c[8],20,1163531501),b=gg(b,a,d,e,c[13],5,-1444681467),e=gg(e,b,a,d,c[2],9,-51403784),d=gg(d,e,b,a,c[7],14,1735328473),a=gg(a,d,e,b,c[12],20,-1926607734),b=hh(b,a,d,e,c[5],4,-378558),e=hh(e,b,a,d,c[8],11,-2022574463),d=hh(d,e,b,a,c[11],16,1839030562),a=hh(a,d,e,b,c[14],23,-35309556),b=hh(b,a,d,e,c[1],4,-1530992060),e=hh(e,b,a,d,c[4],11,1272893353),d=hh(d,e,b,a,c[7],16,-155497632),a=hh(a,d,e,b,c[10],23,-1094730640),b=hh(b,a,d,e,c[13],4,681279174),e=hh(e,b,a,d,c[0],11,-358537222),d=hh(d,e,b,a,c[3],16,-722521979),a=hh(a,d,e,b,c[6],23,76029189),b=hh(b,a,d,e,c[9],4,-640364487),e=hh(e,b,a,d,c[12],11,-421815835),d=hh(d,e,b,a,c[15],16,530742520),a=hh(a,d,e,b,c[2],23,-995338651),b=ii(b,a,d,e,c[0],6,-198630844),e=ii(e,b,a,d,c[7],10,1126891415),d=ii(d,e,b,a,c[14],15,-1416354905),a=ii(a,d,e,b,c[5],21,-57434055),b=ii(b,a,d,e,c[12],6,1700485571),e=ii(e,b,a,d,c[3],10,-1894986606),d=ii(d,e,b,a,c[10],15,-1051523),a=ii(a,d,e,b,c[1],21,-2054922799),b=ii(b,a,d,e,c[8],6,1873313359),e=ii(e,b,a,d,c[15],10,-30611744),d=ii(d,e,b,a,c[6],15,-1560198380),a=ii(a,d,e,b,c[13],21,1309151649),b=ii(b,a,d,e,c[4],6,-145523070),e=ii(e,b,a,d,c[11],10,-1120210379),d=ii(d,e,b,a,c[2],15,718787259),a=ii(a,d,e,b,c[9],21,-343485551);f[0]=add32(b,f[0]),f[1]=add32(a,f[1]),f[2]=add32(d,f[2]),f[3]=add32(e,f[3])}function cmn(f,c,b,a,d,e){return c=add32(add32(c,f),add32(a,e)),add32(c<<d|c>>>32-d,b)}function ff(f,c,b,a,d,e,g){return cmn(c&b|~c&a,f,c,d,e,g)}function gg(f,c,b,a,d,e,g){return cmn(c&a|b&~a,f,c,d,e,g)}function hh(f,c,b,a,d,e,g){return cmn(c^b^a,f,c,d,e,g)}function ii(f,c,b,a,d,e,g){return cmn(b^(c|~a),f,c,d,e,g)}function md51(f){txt="";var c=f.length,b=[1732584193,-271733879,-1732584194,271733878],a;for(a=64;a<=f.length;a+=64)md5cycle(b,md5blk(f.substring(a-64,a)));f=f.substring(a-64);var d=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(a=0;a<f.length;a++)d[a>>2]|=f.charCodeAt(a)<<(a%4<<3);d[a>>2]|=128<<(a%4<<3);if(55<a){md5cycle(b,d);for(a=0;16>a;a++)d[a]=0}return d[14]=8*c,md5cycle(b,d),b}function md5blk(f){var c=[],b;for(b=0;64>b;b+=4)c[b>>2]=f.charCodeAt(b)+(f.charCodeAt(b+1)<<8)+(f.charCodeAt(b+2)<<16)+(f.charCodeAt(b+3)<<24);return c}var hex_chr="0123456789abcdef".split("");function rhex(f){for(var c="",b=0;4>b;b++)c+=hex_chr[f>>8*b+4&15]+hex_chr[f>>8*b&15];return c}function hex(f){for(var c=0;c<f.length;c++)f[c]=rhex(f[c]);return f.join("")}function md5(f){return hex(md51(f))}function add32(f,c){return f+c&4294967295}"5d41402abc4b2a76b9719d911017c592"!=md5("hello")&&(add32=function(f,c){var b=(f&65535)+(c&65535);return(f>>16)+(c>>16)+(b>>16)<<16|b&65535})

    you just managed to wait long enough to download all three i mentioned in one fell swoop, did it take forever?


    hehe... sorry to be sarcastic, but i hate information that makes JS looks bad, especially when it's not rooted in reality.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #13
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,461
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by rnd me View Post
    yet people manage to load jQuery just fine
    but most sites use one of the shared copies of jquery that most of their visitors already have cached. Those visitors who don't have it cached and who have slow internet connections effectively see the no JavaScript version of the page since they will mostly have left by the time jquery finishes downloading.

    Also the jquery library actually serves a purpose with the page. The hash code just slows down the loading of the page and has no further effect whatever.

    Quote Originally Posted by rnd me View Post
    sorry to be sarcastic, but i hate information that makes JS looks bad, especially when it's not rooted in reality.
    So do I. That's why I seriously recommend against trying to apply hashing or encryption using JavaScript because they have the potential to reduce security and no possibility of increasing it even if you assume everyone has the script loaded.

    Hashing the password using JavaScript does not protect against any man-in-the-middle attach since the hashed version now effectively is the password that needs to be captured to break into the site - the actual value originally typed is now irrelevant. That hashing has achieved nothing in terms of securing the data during transmission - the only way to do that is using SSL.

    The hash script achieves nothing with respect to security because all you have done is replace the original typed password with a replacement password generated by the hash. That replacement password (which is what the server now expects to receive as the password) will get someone into the site just as easily as the original unencrypted password would have because the hash is being sent as plain text. All the person who stole it would need to do to be able to use it would be to edit the JavaScript running in the browser when they view the login form so as to have that value sent rather than feeding it through the hash - and editing the JavaScript that a page is running is far easier than intercepting the plain text "hash" password in the first place.

    The hashed password that the JavaScript sends is not encrypted and can be easily stolen and used unless you use SSL.

    How is having "08cd923367890009657eab812753379bdb321eeb" as the password that will open your account being sent in plain text any more secure than sending "mysecretpassword" in plain text as the password? Both passwords are just as easily to steal unless you use SSL.
    Last edited by felgall; 04-13-2013 at 04:02 AM.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #14
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by felgall View Post
    How is having "08cd923367890009657eab812753379bdb321eeb" as the password that will open your account being sent in plain text any more secure than sending "mysecretpassword" in plain text as the password? Both passwords are just as easily to steal unless you use SSL.
    that's a good question that i'll try to explain it the best i can if you can take what i write seriously.


    firstly and quickly, i already recommend https in this application, so let's not compare apples to oranges, i just want to answer your main question.


    in some ways, you are right. these are technical questions which you've answered honestly and fairly. However, you are not considering the picture bigger than a site.

    this isn't about someone breaking into your site, at all. of course any unique id is any unique id, that's not debatable, and it certainly not the point i'm trying to get across.

    the reason that "08cd923367890009657eab812753379bdb321eeb" is more safe is because it cannot be used to reveal the real-persons's actual password. This is to protect users against themselves more than it is to protect your site. Sadly, passwords are USUALLY recycled. Sometimes, we will add the site's domain to the front of it or a "!" to the end, but the main secret is re-used. this is well-known and something almost all of us are guilty of to some extent. So while i think you are correct inconsideration of the machine behavior, i see that you are ignoring the human behavior side of the security coin, and that's exactly how/why many attacks propagate.

    consider your argument about man in the middle attacks. sure, via interception they can get into joeblow.com using hashes just as easily as a clear password. BUT, if "rnd me" has an account at joeblow.com and the hackers know from a previous breach that chase.com has an "rnd me" user account with a hashed PW, the hackers are in a much stronger position to try permutation's of the joeblow.com password on chase.com's live login page.


    sending a hash DOES prevent someone in the coffee shop from seeing your password in plain text.

    Since the passwords are recycled, they now have a base upon which to try further attack on other domains. Furthermore, if you do have a sql db that stores these hashes, and it gets ripped-off, the user is much safer having had several layers of hashing to prevent cracking. I'm not saying those layers can't be done on the server, or that ssl isn't a better way of getting from a to b, just that the end result of my recommendations is more protection (long-term) against personal ID theft than a more naive approach would be, including simple ssl>md5>db on a db secured by an amateur or used from shared hosting. that's my sub-point: layered hashing in DBs is good.


    If all the coffee-shop hacker had was a md5+sha+whirlpooled hash, they need to do hours and hours brute-forcing to get the clear text password that they can try permutations upon with other sites, like chase.com.


    so, as you can see, it's not really about securing a site one way or the other. i don't disagree with most of your conclusions. i do think ssl is obviously better.

    so, let's boil it down into one main point i THINK you can agree with:
    When ssl is not an option, it's better to have ir-reversible tokens fly over the wire than cleartext oft-recycled passwords.
    Last edited by rnd me; 04-13-2013 at 06:38 PM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #15
    New to the CF scene
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I hope you two have calmed down now...Yes, I checked into SSL and think that is the way for me to go. The clients for my site have plenty of money, so the the cost of implementing SSL is of minimal concern.

    But I agree, if one doesn't want to pay for SSL, then hashing at the front-end would be a good option.

    Thanks guys for your input!


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •