[thelist] md5 javascript

Ken Snyder kendsnyder at gmail.com
Tue Sep 25 16:15:21 CDT 2007

Dejan Kozina wrote:
> ...
> - any attacker with enough reason to want your password and able to 
> catch your network traffic wouldn't indeed need to know your password: 
> he could simply create a fake form that sends your username and *the 
> password hash* to the server.
I know at one time yahoo.com used an md5 login scheme, and it seems to 
be viable given two more ingredients:

1. Obfuscate your javascript through a "compiler" such as Dean Edward's 


2. Use a salt string that is based on a uniquely generate token stored 
in a hidden input:

First the server generates a unique token and stores it in a hidden 
input.  Then, on submit, the obfuscated javascript transforms the salt 
using some custom algorithm and combines it with the password to md5.  
The browser then posts the unique token and the hash.  The server 
receives the unique token and performs the same algorithm to get the 
salt.  Then in the user database record, both the hash and the salt 
string are stored.

Seems like HTTPS is far simpler and less prone to error, but I think an 
md5 login is doable.

- Ken Snyder


More information about the thelist mailing list