[wp-hackers] Client side password encryption

Jared Bangs jared at pacific22.com
Mon Mar 17 17:44:03 GMT 2008


On Mon, Mar 17, 2008 at 1:25 AM, Viper007Bond <viper at viper007bond.com>
wrote:

>
> Obscuring a base64 encoded string also won't work because the server has
> to
> tell the client how to obscure it which someone could easily intercept and
> then use to fix the malformed hash and then decode it.
>
> Oh well. I guess it's either SSL or nothing.
>

Yeah, pretty much (for what it sounds like you want to do, anyway). If there
is the possibility for interception that you mention above, then it wouldn't
matter if you could reimplement the same phpass alogrithm on the client,
since whatever you send to the server could still be captured and replayed,
resulting in a successful login.


More information about the wp-hackers mailing list