SitePoint Sponsor |
|
User Tag List
Results 1 to 6 of 6
Thread: Use javascript for md5 hashing?
-
Aug 20, 2006, 12:26 #1
- Join Date
- Feb 2005
- Posts
- 311
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Use javascript for md5 hashing?
Do you guys use javascript to md5 hash a password?
Is it neccesary for security, is there danger of sniffing?
cheers,
Thierry
-
Aug 20, 2006, 14:52 #2
- Join Date
- Sep 2005
- Location
- Sydney, NSW, Australia
- Posts
- 16,875
- Mentioned
- 25 Post(s)
- Tagged
- 1 Thread(s)
Any password in Javascript is readable by anyone just by viewing the source of the code.
Javascript doesn't have a function to do the md5 hash.
All password processing is best done server side.Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
-
Aug 20, 2006, 15:13 #3
- Join Date
- Feb 2005
- Posts
- 311
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
i meant to prevent sniffing out the password, not talking about password protection in javascript.
If you fill in a password and send it to a site, can't someone sniff it in between that connection?
-
Aug 20, 2006, 16:21 #4
- Join Date
- Jun 2004
- Location
- EU/UK+DK
- Posts
- 61
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Yes, they could. vBulletin (think this forum) itself actually uses a JavaScript MD5 function to hash the password before it's submitted, and obviously degrades to accept non-JS/unhashed passwords. As I recall, they set a hidden form field if it's been hashed.
I found this a while ago, and so far have had no opportunity to use it, but hopefully it'll help: implementation of the MD5 algorithm in JavaScript.
I'm not quite sure how much more security you'd gain from sending the hash over an unsecure connection, though - I get the feeling someone could just use the hash as you would have, once they'd intercepted it, thus defeating the point. I really don't know.
End-to-end encryption such as SSL is the only way I know of to reliably prevent* people accessing sensitive data. (*Or at least cause considerable difficulty for.)
IANACE - I am not a cryptography expert - so take all of this with a pinch of...salt.
Edit: And Stephen's right about doing anything genuinely important only on the server-side.Last edited by Wacky; Aug 21, 2006 at 17:32. Reason: Got a name wrong, no idea how!
The plus sign (+) is valid within an email address; please do not
write or suggest code that precludes its use, as many use it as a
"label" to filter incoming mail. </crusade>
-
Aug 21, 2006, 01:42 #5
- Join Date
- Feb 2005
- Posts
- 311
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
hmm so what keeps people from hacking into most websites??
-
Aug 21, 2006, 12:47 #6
- Join Date
- Sep 2005
- Location
- Sydney, NSW, Australia
- Posts
- 16,875
- Mentioned
- 25 Post(s)
- Tagged
- 1 Thread(s)
Server side processing which is where you can actually implement real protection using code that is not free for anyone to read to see what you've done.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
Bookmarks