Password Encryption Script

[Philip M]

It comes back to motivation. Few would consider it worthwhile to hack into a teenager's website, but obviously it is a different matter if we are talking about your bank account. As I say, if money or its equivalent is at stake then someone will be motivated to crack the obfuscation.

I have never understood how a hacker can try millions of combinations. He must not only find the right password, but test that (and all) password(s) to see if it works. Even at one second per try you can only test 3,600 an hour, 86,400 per day working full time. The rate at which an attacker can submit guessed passwords to the system must be a constraint. A password of 10 characters will take over 19 years to crack at a 100-billion-guesses-a-second effort to break the encryption.

In short, and as you say, is it safe enough for practical purposes? Yes.

Of course, the password must be unguessable. I understand that if I know the names of your wife, children, pets and football team then I have a 40% chance of guessing your password correctly.

[Old Pedant]

LOL! A hacker will try hundreds per second! All automated, of course. He will try them as fast as your site will take the input. Hitting you from multiple (virtual) clients at the same time. Heck, MS even has a TOOL that helps you do this! (It's normally used for performance testing...you set up the number of virtual clients you want and it hits a site from each client as fast as it can. Normally, the virtual client just makes a static request of the site, but you can create a plugin for the tool that will vary the request.)

So multiply your numbers by at least 20 to 40 and maybe 100. But I agree with you. Nobody in their right mind would do this except for attempting to break into something worth while. Meaning money.

[rnd me]

you can combine both to provide unpredictable urls and a convenient human interface for those who know a passphrase/guid/sectret string.

here's a quick proof-of-concept for such a tool. it spits out the source of a landing page on a new tab and immediately loads that page in the open tab so you can test it.

still, i think it's better to put things like this behind a server because you can change the key/path independently...

i set the folder path to 64 chars. while i won't say it's impossible to guess a 64-char url, it's impossible to guess a 64-char url.
the # of ms since 1970 is ~15 digits, so in order to crack the url within 40 years, you need to do 2^39 combos per ms.
there is no server that can even handle 2^10 requests per ms, much less that times a billion times a billion times a billion...

[Philip M]

Quote:

Originally Posted by Old Pedant

NOW...Is it "safe"? Of course not! Is it safe enough for practical purposes? Yes.

But, then, so is your idea of simply using a weird URL safe enough for practical purposes. I really like that idea. It's enough to keep out nosy people, even if it won't keep out the determined hacker who will try millions (or more) of combinations. I absolutely agree with you that it's a simple and effective way.

I do not see how even with millions of combinations a 10-character url not a dictionary word can be cracked (except by pure luck of course - by some miracle you just might hit it first time!).

I thought that servers would not accept more than so-many log-in attempts within so-many minutes from the same IP address.

A site which can only be accessed with a fixed password has the obvious snag that some authorised user may pass on the password to an unauthorised user.

[Old Pedant]

Hackers are smart. Evil, but smart. They are well aware of what limits a given kind of server puts on "hits" from a single IP address. It may take them many weeks or months to try millions of combinations, and they may spread the effort across thousands of IP addresses (after all, they just have to "infect" a few thousand machines with their own virus and than assign the hacking task to those machines), but they WILL do it.

Now, would they bother, just to hack some hobbyist game site? Of course not.

So as we have all said, it really comes down to WHAT you are protecting. And for all but sites handling large sums of money, most of the stuff we have discussed is more than adequate.

[gabsillis]

I'm having trouble with a redirection code which is basically the same as the secure examples given on page one

Code:

var password = function(){
var reply = prompt("Enter username");
var reply2 = prompt("Enter password");
var reply3 = prompt("Enter securty decryption key");
var redirect = function() {
var arith = (reply + reply2)*reply3;
return arith;
window.location.href = arith
}
};
password()
</script>

The three prompts show but it does not redirect to the new page which I have currently (for testing purposes) given the simple name 30.

[jmrker]

Quote:

Originally Posted by gabsillis

I'm having trouble with a redirection code which is basically the same as the secure examples given on page one

Code:

var password = function(){
var reply = prompt("Enter username");
var reply2 = prompt("Enter password");
var reply3 = prompt("Enter securty decryption key");
var redirect = function() {
var arith = (reply + reply2)*reply3;
return arith;
window.location.href = arith
}
};
password()
</script>

The three prompts show but it does not redirect to the new page which I have currently (for testing purposes) given the simple name 30.

It can't redirect to the location.href as it exits the function via the return before getting to that command.

[Philip M]

var arith = (reply + reply2)*reply3;

reply and reply2 are strings so the + sign concatenates (not adds) them, but * is a numeric operator (multiply). You cannot multiply a string value.

You are using two functions (why?) and as the variables are declared in the first function with the var keyword they are local to that function, and cannot be accessed by the second function.

return means what it it says. STOP right now.

I heard him then, for I had just
Completed my design
To keep the Menai Bridge from rust
By boiling it in wine.
- Lewis Carroll

[jmrker]

Quote:

Originally Posted by Fran55k

Thank you for telling me that javascript cannot be used to update the content of your page after the page loaded.

That is not exactly true.
You can update the page after the page has loaded,
you just cannot use document.write() to do it.

[Philip M]

Quote:

Originally Posted by jmrker

That is not exactly true.
You can update the page after the page has loaded,
you just cannot use document.write() to do it.

Hmmm. Fran55k is a spammer who has been banned from the forum.

[jmrker]

Quote:

Originally Posted by Philip M

Hmmm. Fran55k is a spammer who has been banned from the forum.

Thanks for the info. I did not know that.
Is there a way to tell that from the post so that I don't respond to begin with?

[Philip M]

Quote:

Originally Posted by jmrker

Thanks for the info. I did not know that.
Is there a way to tell that from the post so that I don't respond to begin with?

One telltale sign is the images (which do not appear - just red X's).

Another clue is if the spammer copies all or part of a previous post to "introduce" his message.

[gabsillis]

Quote:

Originally Posted by Philip M

var arith = (reply + reply2)*reply3;

reply and reply2 are strings so the + sign concatenates (not adds) them, but * is a numeric operator (multiply). You cannot multiply a string value.

You are using two functions (why?) and as the variables are declared in the first function with the var keyword they are local to that function, and cannot be accessed by the second function.

return means what it it says. STOP right now.

I heard him then, for I had just
Completed my design
To keep the Menai Bridge from rust
By boiling it in wine.
- Lewis Carroll

how would I get numeric input from a user instead of a string?
good point about return, I think my head was swimming with wierd thoughts when I wrote that part.

[Philip M]

Quote:

Originally Posted by gabsillis

how would I get numeric input from a user instead of a string?

Use Number() or *1