[wp-hackers] Client side password encryption

Viper007Bond viper at viper007bond.com
Sun Mar 16 09:47:11 GMT 2008


Oh wait, that wouldn't work for accounts created in WP 2.5, right? Bah.

Guess I'm outta luck. Oh well.

On Sun, Mar 16, 2008 at 2:43 AM, Viper007Bond <viper at viper007bond.com>
wrote:

> Yeah, this isn't assumed to be 100% secure, merely a way to avoid sending
> the password plaintext via an unencrypted connection (like a public wifi or
> whatever).
>
> Anyway, so if it does indeed "upgrade" the old MD5 hash in the database to
> a new salted one, I could salt the POST'ed MD5 hash and compare it to the
> one in the database, no?
>
>
> On Sun, Mar 16, 2008 at 2:36 AM, DD32 <wordpress at dd32.id.au> wrote:
>
> > On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper at viper007bond.com>
> > wrote:
> >
> > > So I've been playing around with
> > > http://wordpress.org/extend/plugins/semisecure-login/
> > ..
> > > Is it even possible? I can't think of a way to take the MD5 of the
> > password
> > > and use it to check the password due to the salting. I can't MD5 the
> > > original password and compare it to the submitted hash as the original
> > > obviously isn't stored anywhere.
> > >
> > > What about the upgrade method though? Does 2.5 migrate the old MD5
> > hashes to
> > > the new method or does it just leave them alone and only screw with
> > the
> > > cookies?
> >
> > When the user logs in, if the password hash is <= 32 char, then it
> > creates a new hash for the user with a salt added in.
> >
> > I dont think theres a secure method of client side password hashing now,
> > it either has to be 2-way encryption so that the server can get the original
> > password, Or you need to pass the salt back to the JS and implement phpass
> > in javascript, neither of which you'd want to do.
> >
> > You of course, could store another password in the database which is not
> > salted, so that it allows you to login via passing a hashed password along,
> > but its not of much use IMO
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
>



-- 
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/


More information about the wp-hackers mailing list