need simple password protection

[jasperx]

I have an administrative area on my site where users with different securtiy levels can see different pages. This was done with a couple of tables which capture users and a security setting. It has been working great. Probably our biggest exposure now is that the user name and password are sent at clear text. We don't need super protection... just a bit more than we have. I don't have the ability to install dll or components on the server and we don't want to use SSL... basically we need something simple and zero cost.
From reading this forum, I am getting the idea this could work:
1)encrpyt the password client side with javascript
2)store encrypted password in the database
3)encrypt logins and have server compare to database
Would this work?
I don't do much with javascripts... would this script work
function encrypt(password)
{
  var checkSum   = 0;
  var multiplier = 1;

  for (var i = 0; i < password.length; i++)
  {
    checkSum += (password.charCodeAt(i) * multiplier);
    multiplier *= 3;
  }
  return checkSum;
}

 

[trollacious]

Looks like some stuff I posted on Tek-Tips.com a long time ago, and that I've been using for even longer.

If you do a search on MD5 encryption, that'll give you something similar, too.

Lee

 

[ChrisHirst]

client-side javascript forum216


asp encryption thread333-891325

Chris.

Indifference will be the downfall of mankind, but who cares?

http://www.candsdesign.co.uk

A website that proves the cobblers kids adage.

http://www.cram-system.com

Nightclub counting systems

So long, and thanks for all the fish.

 

[jasperx]

ChrisHirst, trollacious,
I saw those references, read them but still needed a bit more...
The approach I suggested did not use MD5... because I got the idea that MD5 would require my host to install or make something extra available or require .NET. We are not using .NET.

Can I get away with that simple javascript clientside to store encrypted passwords and then do the password validation and complete login on the clientside?

Here is that script again:

function encrypt(password)
{
  var checkSum   = 0;
  var multiplier = 1;

  for (var i = 0; i < password.length; i++)
  {
    checkSum += (password.charCodeAt(i) * multiplier);
    multiplier *= 3;
  }
  return checkSum;
}

 

[ChrisHirst]

the ASP encryption routine only need a file containing the functions to be included in your pages. No components, and no .NET



Chris.

Indifference will be the downfall of mankind, but who cares?

http://www.candsdesign.co.uk

A website that proves the cobblers kids adage.

http://www.cram-system.com

Nightclub counting systems

So long, and thanks for all the fish.

 

[trollacious]

If you send the number generated by that Javascript function, then you can compare it on the client side to the number stored in the database that was generated with the same algorithm. If the numbers match, then the password is the correct one. If you encrypt the login name and the password with the same function, then you have 2 numbers to use to check.

I posted the function you showed here, or one exactly like it, some time ago on the Javascript boards. This was after having used it for client-side validation of logins and passwords. While the login and password numbers generated can be cracked by brute force, it would take a while to do so if your users use longer login names and passwords. There are MD5 routines in Javascript you can put on the login pages, too, along with the numbers you've written there. However, if you have access to server-side storage of those, then I'd recommend that so not even the numbers are visible to someone visiting the page.

Lee