> You could (theoretically) have an applet, or
> maybe even some JavaScript (not sure if JavaScript can do this),
> encrypt the
> password using something like an MD5 algorithm, and send that back to the
> server over regular HTTP. Then you'd decrypt the password on the other
> side.
To be pedantically technical, this is no more safe than sending the password
in plaintext. If you sent plaintext, someone snooping would see something
like this:
Username: foo
Password: bar
Scrambling it with an MD5 one-way hash would mean that the person snooping
would see something like this:
Username: foo
Password: 6xFg2HfM
However, the string "6xFg2HfM" would not change, so all the snooper need do
now is send the same username/hashed password combo to break into the
account.
To make this secure, the server would need to provide some sort of "salt" to
hash in with the user's password. This "salt" can be any random string you
like, as long as the same string is used on the server side. This presumes
that the user's password is logged in plaintext on the server side. So, the
interaction would be:
Server => Client:
Salt=kwijybo
Client => Server:
Username: foo
Password: 99kdiegT
(computed by concatenating "kwijybo" and "bar", then MD5ing the string)
The server then computes the MD5 hash of "kwijybobar" and compares its
result to the one coming from the client.
Of course, what you should really, *really* do is use SSL. Getting security
and encryption right is hard; I'm sure there's something wrong with my
previous example.
Mike
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
