[wp-hackers] Client side password encryption

Viper007Bond viper at viper007bond.com
Mon Mar 17 19:34:08 GMT 2008


Yeah, that's why a one-way hashing method is needed.

Previously, the JS would MD5 a string made up of the MD5 of the password
plus a one-time salt, and then the server would replicate that (it already
had the MD5 of the password) and compare.

On Mon, Mar 17, 2008 at 10:44 AM, Jared Bangs <jared at pacific22.com> wrote:

> On Mon, Mar 17, 2008 at 1:25 AM, Viper007Bond <viper at viper007bond.com>
> wrote:
>
> >
> > Obscuring a base64 encoded string also won't work because the server has
> > to
> > tell the client how to obscure it which someone could easily intercept
> and
> > then use to fix the malformed hash and then decode it.
> >
> > Oh well. I guess it's either SSL or nothing.
> >
>
> Yeah, pretty much (for what it sounds like you want to do, anyway). If
> there
> is the possibility for interception that you mention above, then it
> wouldn't
> matter if you could reimplement the same phpass alogrithm on the client,
> since whatever you send to the server could still be captured and
> replayed,
> resulting in a successful login.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/


More information about the wp-hackers mailing list