[wp-hackers] Client side password encryption

Sam Bauers sam at automattic.com
Mon Mar 17 15:15:35 GMT 2008


I did the porting of the new phpass hashing to bbPress, and I'm 99.99%  
sure that what you want can't be achieved.

You would need to enlist your own reversible hashing (in Javascript  
and PHP) to pass the real password to the login functions.

Sam


On 17/03/2008, at 7:25 PM, Viper007Bond wrote:

> Nevermind about this whole thread. I don't think it's possible as  
> while I
> don't know about migrated passwords, I believe all post-2.5  
> passwords will
> be encrypted without ever touching MD5. Just a direct password ->  
> phpass and
> replicating phpass with JS doesn't look easy or a good idea.
>
> Obscuring a base64 encoded string also won't work because the server  
> has to
> tell the client how to obscure it which someone could easily  
> intercept and
> then use to fix the malformed hash and then decode it.
>
> Oh well. I guess it's either SSL or nothing.
>
> -- 
> Viper007Bond | http://www.viper007bond.com/ | http:// 
> www.finalgear.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


---------------------
Sam Bauers
Automattic, Inc.

sam at automattic.com
http://automattic.com
http://wordpress.com
http://wordpress.org
http://bbpress.org
http://unlettered.org
---------------------



More information about the wp-hackers mailing list