Use javascript for md5 hashing?

[lajkonik86]

Do you guys use javascript to md5 hash a password?

Is it neccesary for security, is there danger of sniffing?


cheers,
Thierry

[felgall]

Any password in Javascript is readable by anyone just by viewing the source of the code.

Javascript doesn't have a function to do the md5 hash.

All password processing is best done server side.

[lajkonik86]

i meant to prevent sniffing out the password, not talking about password protection in javascript.

If you fill in a password and send it to a site, can't someone sniff it in between that connection?

[Wacky]

Yes, they could. vBulletin (think this forum) itself actually uses a JavaScript MD5 function to hash the password before it's submitted, and obviously degrades to accept non-JS/unhashed passwords. As I recall, they set a hidden form field if it's been hashed.

I found this a while ago, and so far have had no opportunity to use it, but hopefully it'll help: implementation of the MD5 algorithm in JavaScript.

I'm not quite sure how much more security you'd gain from sending the hash over an unsecure connection, though - I get the feeling someone could just use the hash as you would have, once they'd intercepted it, thus defeating the point. I really don't know.

End-to-end encryption such as SSL is the only way I know of to reliably prevent* people accessing sensitive data. (*Or at least cause considerable difficulty for.)

IANACE - I am not a cryptography expert - so take all of this with a pinch of...salt.

Edit: And Stephen's right about doing anything genuinely important only on the server-side.

[lajkonik86]

hmm so what keeps people from hacking into most websites??

[felgall]

Server side processing which is where you can actually implement real protection using code that is not free for anyone to read to see what you've done.