[wp-hackers] Client side password encryption
Viper007Bond
viper at viper007bond.com
Sun Mar 16 09:43:55 GMT 2008
Yeah, this isn't assumed to be 100% secure, merely a way to avoid sending
the password plaintext via an unencrypted connection (like a public wifi or
whatever).
Anyway, so if it does indeed "upgrade" the old MD5 hash in the database to a
new salted one, I could salt the POST'ed MD5 hash and compare it to the one
in the database, no?
On Sun, Mar 16, 2008 at 2:36 AM, DD32 <wordpress at dd32.id.au> wrote:
> On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper at viper007bond.com>
> wrote:
>
> > So I've been playing around with
> > http://wordpress.org/extend/plugins/semisecure-login/
> ..
> > Is it even possible? I can't think of a way to take the MD5 of the
> password
> > and use it to check the password due to the salting. I can't MD5 the
> > original password and compare it to the submitted hash as the original
> > obviously isn't stored anywhere.
> >
> > What about the upgrade method though? Does 2.5 migrate the old MD5
> hashes to
> > the new method or does it just leave them alone and only screw with the
> > cookies?
>
> When the user logs in, if the password hash is <= 32 char, then it creates
> a new hash for the user with a salt added in.
>
> I dont think theres a secure method of client side password hashing now,
> it either has to be 2-way encryption so that the server can get the original
> password, Or you need to pass the salt back to the JS and implement phpass
> in javascript, neither of which you'd want to do.
>
> You of course, could store another password in the database which is not
> salted, so that it allows you to login via passing a hashed password along,
> but its not of much use IMO
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
More information about the wp-hackers
mailing list