[wp-hackers] Client side password encryption

Viper007Bond viper at viper007bond.com
Mon Mar 17 04:56:53 GMT 2008


That's just security through obscurity though.

Perhaps the base64 encoded string could be modified randomly in a
pre-determined way though that only the host and the client knew about
(similar to a salt). Something like adding some characters after X
characters, etc.

I haven't given up on MD5 though. I'm gonna read some more into how WP salts
the passwords and stuff. Hopefully it still uses a MD5 of the password
somewhere (pre-salt or something).

On Sun, Mar 16, 2008 at 9:33 PM, Matt <speedboxer at gmail.com> wrote:

> How about base64 encoding it before sending it, then decode it before
> WP handles it. It's in no way as secure as MD5, but it's better than
> plain text (people trying to steal password would probably not bother
> or recognize it as base64 and move along)...
>
> On Sun, Mar 16, 2008 at 7:52 PM, Viper007Bond <viper at viper007bond.com>
> wrote:
> > It's quite similar to the plugin I was using as a base.
> >
> > I assume it too is broken by WordPress 2.5 though as it'll have trouble
> > comparing a hashed version of the password (made via JS) against another
> > hashed version of the password (in the DB).
> >
> > On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew at fergcorp.com>
> > wrote:
> >
> >
> > > Have you ever tried using this plugin:
> > >
> > > http://www.redsend.org/chapsecurelogin/
> > >
> > > It's based on the Challenge-Handshake Authentication Protocol (CHAP)
> and
> > > it
> > > seems to work pretty well. It might at least be a starting point for
> what
> > > you're trying to do.
> > >
> > > -Andrew
> > > http://AndrewFerguson.net
> > >
> > >
> > > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper at viper007bond.com>
> > > wrote:
> > >
> > > > No no, I think the salt and all that stuff is a good idea. I don't
> want
> > > to
> > > > mess with it or the database.
> > > >
> > > > I'm just trying to figure out a way to not send the password in
> plain
> > > > text.
> > > > MD5'ing it + a separate salt worked well with 2.3.x, but it's
> proving to
> > > > be
> > > > trouble in 2.5.
> > > >
> > > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <
> james at freecharity.org.uk>
> > > > wrote:
> > > >
> > > > >
> > > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote:
> > > > >
> > > > > > Is it even possible? I can't think of a way to take the MD5 of
> the
> > > > > > password
> > > > > > and use it to check the password due to the salting. I can't MD5
> the
> > > > > > original password and compare it to the submitted hash as the
> > > original
> > > > > > obviously isn't stored anywhere.
> > > > >
> > > > > I think (I'm away from home and unable to check precisely) that
> when
> > > > > I coded the new password functions things were left pluggable in
> the
> > > > > right places to allow you to use a different hashing algorithm. If
> > > > > you really wanted to use this plugin, you might be able to write
> > > > > another plugin that reinstates plain MD5 passwords. Please let me
> > > > > know if this isn't the case. :-)
> > > > >
> > > > > James
> > > > > _______________________________________________
> > > > > wp-hackers mailing list
> > > > > wp-hackers at lists.automattic.com
> > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Viper007Bond | http://www.viper007bond.com/ |
> http://www.finalgear.com/
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> >
> >
> >
> > --
> >
> > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Matt (speedboxer at gmail.com)
> http://mattsblog.ca/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/


More information about the wp-hackers mailing list