Re: How to encrypt password forms in my web app? (Can't SSL)

From: Bill Unruh (unruh@string.physics.ubc.ca)
Date: 11/28/02

• Next message: Mark Gordon: "Re: Parameter Overflow Attack?"
• Previous message: Walter Roberson: "Re: Stripped out system for browsing"
• In reply to: Peter Mørch: "Re: How to encrypt password forms in my web app? (Can't SSL)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: unruh@string.physics.ubc.ca (Bill Unruh)
Date: 28 Nov 2002 22:14:39 GMT

pvm@capmon.dk (=?ISO-8859-1?Q?Peter_M=F8rch?=) writes:

]Thanks a lot for your reply. What a wonderful idea! You know what? I
]think thats what I'll do.

]> One problem is is that you still need to store the user's passwords in
]> clear-text somewhere for the server for form the hash

]Instead of storing the passwords on the server in clear-text, I'll
]store an md5 hash of their passwords. And then have the javascript
]send back an md5 of the username, challenge and (md5 of password).

That is the same thing. The md5 of the password now simply replaces teh
password. If someone sniffs teh server and finds that md5 hash, they can
use it to log on

]Only problem is that currently our app saves MySQL's
]PASSWORD("password") - using MySQL's proprietary PASSWORD function,
]not md5("password"). I won't be able to duplicate the PASSWORD
]function on the client side. AAaaaaaaaaaarrrrrh.

]OK, our users are going to have to reenter their passwords. There
]aren't _that_ many user accounts.

]> (assuming the server is intelligent enough to not re-issue
]> the same challenge to the same user and so on).

]Apache's environment variable: UNIQUE_ID e.g. == PeZqcX8AAAIAAFeFAnA
]will do nicely as the challenge, I guess...

]Again, thank you for your reply. I'll use it!

]Peter

---

• Next message: Mark Gordon: "Re: Parameter Overflow Attack?"
• Previous message: Walter Roberson: "Re: Stripped out system for browsing"
• In reply to: Peter Mørch: "Re: How to encrypt password forms in my web app? (Can't SSL)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: MD5 Algorithm ... you apply the MD5 to the timedate stamp ... provided by the server and you use a key code string also provided. ... The idea is sending a message, message digest (firstly mentioned ... The recipient of the message decrypts the key with your public key, ... (comp.lang.forth) LDAP, MD5, and password changes ... Here is my dilemma- We have SunONE Directory Server 5.2 patch 2. ... Previously, user passwords were encrypted using simple crypt, but we ... wanted to harden the mechanism and tested using MD5. ... We are encrypting ... (SunManagers) Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted ... >> Basically, multiple input data that have the same output hash, which is ... > server, or any other PostgreSQL server where the same userid & input are ... > with random salt' or some such which would only be supported with the ... > to md5 or back again. ... (Bugtraq) Re: Current thoughts on system partitioning ... > Just to use my specific example, I've built a server with two 160 GB ... In my experience, SuSE by default installs DES encryption for passwords, ... you can switch the SuSE to MD5 ... (comp.os.linux.misc) Re: Current thoughts on system partitioning ... > Just to use my specific example, I've built a server with two 160 GB ... In my experience, SuSE by default installs DES encryption for passwords, ... you can switch the SuSE to MD5 ... (comp.os.linux.setup)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2002-11