[wp-hackers] Client side password encryption

Matt speedboxer at gmail.com
Mon Mar 17 04:33:10 GMT 2008


How about base64 encoding it before sending it, then decode it before
WP handles it. It's in no way as secure as MD5, but it's better than
plain text (people trying to steal password would probably not bother
or recognize it as base64 and move along)...

On Sun, Mar 16, 2008 at 7:52 PM, Viper007Bond <viper at viper007bond.com> wrote:
> It's quite similar to the plugin I was using as a base.
>
> I assume it too is broken by WordPress 2.5 though as it'll have trouble
> comparing a hashed version of the password (made via JS) against another
> hashed version of the password (in the DB).
>
> On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew at fergcorp.com>
> wrote:
>
>
> > Have you ever tried using this plugin:
> >
> > http://www.redsend.org/chapsecurelogin/
> >
> > It's based on the Challenge-Handshake Authentication Protocol (CHAP) and
> > it
> > seems to work pretty well. It might at least be a starting point for what
> > you're trying to do.
> >
> > -Andrew
> > http://AndrewFerguson.net
> >
> >
> > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper at viper007bond.com>
> > wrote:
> >
> > > No no, I think the salt and all that stuff is a good idea. I don't want
> > to
> > > mess with it or the database.
> > >
> > > I'm just trying to figure out a way to not send the password in plain
> > > text.
> > > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to
> > > be
> > > trouble in 2.5.
> > >
> > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james at freecharity.org.uk>
> > > wrote:
> > >
> > > >
> > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote:
> > > >
> > > > > Is it even possible? I can't think of a way to take the MD5 of the
> > > > > password
> > > > > and use it to check the password due to the salting. I can't MD5 the
> > > > > original password and compare it to the submitted hash as the
> > original
> > > > > obviously isn't stored anywhere.
> > > >
> > > > I think (I'm away from home and unable to check precisely) that when
> > > > I coded the new password functions things were left pluggable in the
> > > > right places to allow you to use a different hashing algorithm. If
> > > > you really wanted to use this plugin, you might be able to write
> > > > another plugin that reinstates plain MD5 passwords. Please let me
> > > > know if this isn't the case. :-)
> > > >
> > > > James
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > >
> > >
> > >
> > > --
> > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
>
> Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Matt (speedboxer at gmail.com)
http://mattsblog.ca/


More information about the wp-hackers mailing list