SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Feb 2005
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Use javascript for md5 hashing?

    Do you guys use javascript to md5 hash a password?

    Is it neccesary for security, is there danger of sniffing?


    cheers,
    Thierry

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,804
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Any password in Javascript is readable by anyone just by viewing the source of the code.

    Javascript doesn't have a function to do the md5 hash.

    All password processing is best done server side.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Addict
    Join Date
    Feb 2005
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i meant to prevent sniffing out the password, not talking about password protection in javascript.

    If you fill in a password and send it to a site, can't someone sniff it in between that connection?

  4. #4
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    EU/UK+DK
    Posts
    61
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, they could. vBulletin (think this forum) itself actually uses a JavaScript MD5 function to hash the password before it's submitted, and obviously degrades to accept non-JS/unhashed passwords. As I recall, they set a hidden form field if it's been hashed.

    I found this a while ago, and so far have had no opportunity to use it, but hopefully it'll help: implementation of the MD5 algorithm in JavaScript.

    I'm not quite sure how much more security you'd gain from sending the hash over an unsecure connection, though - I get the feeling someone could just use the hash as you would have, once they'd intercepted it, thus defeating the point. I really don't know.

    End-to-end encryption such as SSL is the only way I know of to reliably prevent* people accessing sensitive data. (*Or at least cause considerable difficulty for.)

    IANACE - I am not a cryptography expert - so take all of this with a pinch of...salt.

    Edit: And Stephen's right about doing anything genuinely important only on the server-side.
    Last edited by Wacky; Aug 21, 2006 at 17:32. Reason: Got a name wrong, no idea how!
    The plus sign (+) is valid within an email address; please do not
    write or suggest code that precludes its use, as many use it as a
    "label" to filter incoming mail. </crusade>

  5. #5
    SitePoint Addict
    Join Date
    Feb 2005
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmm so what keeps people from hacking into most websites??

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,804
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Server side processing which is where you can actually implement real protection using code that is not free for anyone to read to see what you've done.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •