[wp-hackers] Client side password encryption
viper at viper007bond.com
Mon Mar 17 19:34:08 GMT 2008
Yeah, that's why a one-way hashing method is needed.
Previously, the JS would MD5 a string made up of the MD5 of the password
plus a one-time salt, and then the server would replicate that (it already
had the MD5 of the password) and compare.
On Mon, Mar 17, 2008 at 10:44 AM, Jared Bangs <jared at pacific22.com> wrote:
> On Mon, Mar 17, 2008 at 1:25 AM, Viper007Bond <viper at viper007bond.com>
> > Obscuring a base64 encoded string also won't work because the server has
> > to
> > tell the client how to obscure it which someone could easily intercept
> > then use to fix the malformed hash and then decode it.
> > Oh well. I guess it's either SSL or nothing.
> Yeah, pretty much (for what it sounds like you want to do, anyway). If
> is the possibility for interception that you mention above, then it
> matter if you could reimplement the same phpass alogrithm on the client,
> since whatever you send to the server could still be captured and
> resulting in a successful login.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
More information about the wp-hackers