Posting password data

[JamesGMills]

Hi,

I have a login script for a site i am working on. i encript the password using MD5 in the dataabse however when the user puts the password into the forum and clicks submit the password is still submitted to the login page without being encripted. This information can be got at using sniffer programs on the network. I know its not that much a of a big thing because it means that someone has to be on the network to use them but if its wireless then its easier for them. So my question is how do i encript the password before its being sent? or does anyone know of any other way of doing this?

 

[jpadie]

either you can use javascript to do the encryption on the web page at the client side. you would then decrypt and then md5 to test the login. for this to work you need both the client and the server to know the crypt key. therefore your putative sniffer could still get the key out of the javascript transfer. (you would, of course, make the key dynamic, chaning every page refresh, and store it in a session value but this does not solve the underlying problem.

the other solution (much more common) is to use ssl for the login handling.

 

[jpadie]

sorry - variation on the first solution - you could use a PKI infrastructure to do the crypted password interaction. i don't know if javascript has any PKI classes though. you might post on the JS forum if this option is of interest.

 

[ArkM]

May be it helps (javascript md5 on client side):

http://pajhome.org.uk/crypt/md5/

 

[BabyJeffy]

Why not get a SSL certificate for your domain and check you are in https mode when that login page is loaded. If you are not in https mode, do a server-side redirect to https. When you submit the form, the data will be encrypted. When you recieve the data server-side, you can redirect back to http on success.

This is far far far superior than attempting anything in Javascript.

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch

http://www.codecouch.com/jeff/

http://www.codecouch.com/jeff/blog/

[/tt]

What is Javascript? FAQ216-6094

 

[Itshim]

I agree with jpadie and Jeff, in that SSL is the way to go, but an alternative would be to use the Secure HTTP protocol. The only decent resource I have found is RFC 2660. I did some testing with it awhile back but not much else.

Also if someone finds a way into your network, MD5 will not protect your passwords. Although there is no decryption algorithm, there are published databases widely available on the net which offer millions of unique entries (one that I know of offers over 85 million) which can be used to decrypt an MD5 hash.

 

[JamesGMills]

All very interesting thank you all very much for your input.

I think i will look into HTTPS...

When using the network traffic tool to monitor frames and packets sent across the network i looked into the information send for a phpBB forum and noticed that i could not see the password. This is the main reason for asking as they much have done something.

However surly https still has to send the actual data from the password field or is that the point? https encrypts it?

 

[jpadie]

https is secure socket layer over http. it uses the browser certificate to encrypt the data.

i'd be very surprised if the phpbb forum did not send the password in more or less plain text.

one other trick is to name the password field dynamically (store the name in the session data). this is an occlusion rather than a solution but it makes it more difficult for a would-be hacker to get the right information.