[thelist] md5 javascript
Ken Snyder
kendsnyder at gmail.com
Tue Sep 25 16:15:21 CDT 2007
Dejan Kozina wrote:
> ...
> - any attacker with enough reason to want your password and able to
> catch your network traffic wouldn't indeed need to know your password:
> he could simply create a fake form that sends your username and *the
> password hash* to the server.
>
I know at one time yahoo.com used an md5 login scheme, and it seems to
be viable given two more ingredients:
1. Obfuscate your javascript through a "compiler" such as Dean Edward's
Packer:
http://dean.edwards.name/packer/
http://joliclic.free.fr/php/javascript-packer/en/
2. Use a salt string that is based on a uniquely generate token stored
in a hidden input:
First the server generates a unique token and stores it in a hidden
input. Then, on submit, the obfuscated javascript transforms the salt
using some custom algorithm and combines it with the password to md5.
The browser then posts the unique token and the hash. The server
receives the unique token and performs the same algorithm to get the
salt. Then in the user database record, both the hash and the salt
string are stored.
Seems like HTTPS is far simpler and less prone to error, but I think an
md5 login is doable.
- Ken Snyder
More information about the thelist
mailing list