-
1. Re: Send password hashed
frankyb Jul 17, 2008 5:58 PM (in response to frankyb)Well, having done some tests, I can answer one part: the password is sent in plain text within the POST message.
So it seems I have to do some JavaScript to encrypt it before it is sent...?! Or are there any common procedures? I guess I'm not the first one to do this...
-
2. Re: Send password hashed
luxspes Jul 17, 2008 8:01 PM (in response to frankyb)Hi!
What would be the point of hashing it with javascript? That would not help to secure you application even a little bit. (The hash is still transmitted in plain view, anyone can see it, resend it, and get into your application)
Regards,
-
3. Re: Send password hashed
gjeudy Jul 17, 2008 8:17 PM (in response to frankyb)What type of form authentication have you now? BASIC, DIGEST or something else ?
You may want to look at securing your login form with SSL.
-
4. Re: Send password hashed
frankyb Jul 17, 2008 9:02 PM (in response to frankyb)Well, he could get into my application (if I would not secure the hash with an additional timestamp), but he could not retrieve the password and use it for other purposes.
It's a fact that many users use the same password for many different accounts on the internet. So the password that was detected by exploing my app could be used to gain access to the user's email adress, or even worse, to his online banking...And who is guilty, then?
OK, maybe this is some kind of paranoid, but that's why I asked this question ;-)However, for now I deferred this desicion, because I have a lot of other issues that should be cleared first.
-
5. Re: Send password hashed
luxspes Jul 17, 2008 9:31 PM (in response to frankyb)And, why not just use HTTP?
-
6. Re: Send password hashed
luxspes Jul 17, 2008 9:32 PM (in response to frankyb)
Francisco Peredo wrote on Jul 17, 2008 21:31:
And, why not just use HTTP?Sorry, I meant to say: And, why not just use httpS?
-
7. Re: Send password hashed
frankyb Jul 17, 2008 9:39 PM (in response to frankyb)Yes, I think that would do the trick. But I would need a certificate, and I assume this is not free (for commercial use). Or am I wrong?
-
8. Re: Send password hashed
luxspes Jul 17, 2008 9:57 PM (in response to frankyb)Well you can create your own self signed certificate, you could ask CAcert for a free one... but, if you are going to use this for commercial use, I really recommend to go and buy one.