• Thought it might be worth mentioning: as you post the user’s password across the network in clear text on login, there’s not really any security on it. It would be better to do something like this when someone tries to log in:
    1. Create a timestamp (milliseconds since the epoch) for the user and store it as a session variable.
    2. Send a login form including the timestamp back to the user.
    3. When the user enters their details and clicks “Login”, do the following with client-side Javascript:
    i) Hash the password
    ii) Append the timestamp to the hash (e.g. with MD5)
    iii) Hash the hash (i.e. hashed password + timestamp)
    iv) Set a hidden “submittedHash” field to the hash value
    v) Clear the “password” field (to ensure the clear text password doesn’t go over the network)
    4. Submit the form (NB all that goes across the network is the hash)
    5. On receiving the posted data, on the server side do this:
    i) Get the hashed password for the user from the database
    ii) Append the timestamp (held in the session variable)
    iii) Hash that hash to get the “expectedHash”
    iv) Compare expectedHash to submittedHash: if they are the same, the user typed the same password and is using the same session
    I append the timestamp so you can’t just snoop the hashed password and send this yourself, unless you are in the session the timestamp is stored against. Not the most brilliant authentication method, but more secure than sending clear text then hashing it on the server. I have only implemented this in ASP before, but you are welcome to the client side code, and if you are interested, I could rewrite the ASP as PHP.
    Elliot Smith

Viewing 1 replies (of 1 total)
  • E.S.,
    Have you posted this on the hackers’ mailing list? Seems like a good idea to do so if you haven’t already done so.

Viewing 1 replies (of 1 total)
  • The topic ‘MD5’ is closed to new replies.