== Registration form, password & MD5 ==
1 posts in topic
Flat View  Flat View
Older Post First |   Reply to Topic
TOPIC ACTIONS:
 

Posted By:   Jerome_Iffrig
Posted On:   Thursday, August 8, 2002 12:05 AM

Hi, In a form, I ask the user to choose a password. Later on this password needs to be sent to the server (registration form). My password are stored in MD5 in my database - however the convertion password->encripted[MD5]password is done on the server side - I think this is quite dangerous as in the first place the password has a nice trip in CLEAR on the the network. Is their a way to encript a password into the client machine (rather than on the server) using some sort of javascript function? Does anyone have a piece of code to show me? Is this approche wrong? WHAT if the user has JavaScript disabled in the browser's settings? Thanks!    More>>

Hi,


In a form, I ask the user to choose a password.

Later on this password needs to be sent to the server (registration form).

My password are stored in MD5 in my database - however the convertion password->encripted[MD5]password is done on the server side - I think this is quite dangerous as in the first place the password has a nice trip in CLEAR on the the network.

Is their a way to encript a password into the client machine (rather than on the server) using some sort of javascript function? Does anyone have a piece of code to show me? Is this approche wrong? WHAT if the user has JavaScript disabled in the browser's settings?



Thanks!

   <<Less
Report | Quote This | Send private message | Reply | Print

Re: == Registration form, password & MD5 ==

Posted By:   Animesh_Srivastava  
Posted On:   Thursday, August 8, 2002 03:46 AM

You are right, instead of sending the password in cleartext across the network one should use a javascript function to encrypt it. There are javascript functions available (in public domain too) to encrypt a string. One such very good funtion is used by Yahoo Mail on their login page. They use a challenge response mechanism to authenticate the user. You could do a View Source and see the function (or contact the author and get it). In case the javascript is disabled you will need to ask the user to enable it, because since you are calling the submit of the form only after you encrypt the password so if it is disabled you wont be able to submit the form. Anyways, I guess that should not be a big issue as most sites today make ample use of javascript and hence users are expected to have javascript enabled on their browsers.


Hope that helps.

Animesh.
Report | Quote This | Send private message | Reply | Print
About | Sitemap | Contact