Hi, when a user login, the input type="text" get the password and send it thru POST, so the password is not viewable in the URl, but if a person use a sniffer can grab the password...what about using a MD5 client side javascript (like vbulletin does http://www.vbulletin.com/forum/clientscript/vbulletin_md5.js )?
Gizmo
Wizard
Registered: 01/10/00
Posts: 5354
Loc: Portland, OR, USA
Haha agreed; anyone can sniff messages; heck till recently AIM could be sniffed, it still can for those users don't want to spend $15 a year for an SSL cert for AIM :x...
when a user come back to the forum, the md5 hash is taken from the cookie, right? and then the ubb script have to hash the plain text password contained in the user file and compare, right? or the md5 hash is already written in the user file too?
Registered: 11/29/01
Posts: 789
Loc: Des Moines, IA
Right now, the plain text password is hashed and compared to the cookie. I would wager that eventually, there will be md5 server side also ( mentioned here ).
# Password viewing removed entirely per 6/13 meeting
Uncomment the next 7 lines or so. There's your viewable password.
Unfortunately, that will break entirely when we switch to encrypted passwords in the future.... you'll see something akin to "__MD5:abcdef1234567890abcdef1234567890" instead of the password you were expecting.
so in the future all the password will be in md5?
I think this is a good idea..every time ubb request a cookie has to calculate an md5 hash...
comparing the md5 hash (created with a javascript by the client) and the md5 hash stored in the user profile should be better for ubb performance...
Registered: 01/09/00
Posts: 5438
Loc: Lynnwood, WA
Actually, when the switch occurs, the method of storing the authentication token will also change, which will still require some MD5 calculations. Sorry to disappoint.
_________________________
UBB.classic: Love it or hate it, it was mine.
or he will lock you down in PHP hell 
...
Previous Topic
Index